malware taking over Yahoo search - MBAM report

Here is the MBAM log file:

Malwarebytes’ Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600

6/20/2009 10:36:49 AM
mbam-log-2009-06-20 (10-36-39).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 160949
Time elapsed: 37 minute(s), 15 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.
C:\WINDOWS\pp10.exe (Worm.KoobFace) → No action taken.

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) → No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\CLSID{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Agent) → No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcdlbuyxm (Trojan.FakeAlert.H) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Malware.Trace) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) → No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\kegbtdvr.exe (Trojan.FakeAlert.H) → No action taken.
c:\program files\podmena\podmena.dll (Trojan.Agent) → No action taken.
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) → No action taken.
c:\program files\podmena\podmena.sys (Trojan.Agent) → No action taken.
c:\documents and settings\Default\local settings\Temp\stron_1245117177.exe (Trojan.LdPinch) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\W096W2D1\fb.46[1].exe (Worm.Koobface) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\pdrv[1].exe (Trojan.Dropper) → No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\install[3].exe (Rogue.SystemSecurity) → No action taken.
c:\documents and settings\Default\Desktop\install.exe (Rogue.SystemSecurity) → No action taken.
c:\system volume information_restore{f6a55a90-a77a-40a4-a5bf-35438f2bf3fc}\RP548\A0154530.sys (Trojan.Agent) → No action taken.
C:\WINDOWS\pp10.exe (Malware.Trace) → No action taken.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.
c:\documents and settings\Default\Cookies\MM2048.DAT (Trojan.Agent) → No action taken.
c:\documents and settings\Default\Cookies\MM256.DAT (Trojan.Agent) → No action taken.
C:\WINDOWS\ld09.exe (Backdoor.Bot) → No action taken.
c:\WINDOWS\SYSTEM32\stuffit5.engine-5.1.dll (Trojan.FakeAlert) → No action taken.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) → No action taken.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) → No action taken.
c:\WINDOWS\zaponce53198.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) → No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) → No action taken.

Thanks for any help you can give!

Run MBAM again, this time, fix the threats found. Then reboot,run mbam again,( quick scan ) post a log, post a HJT log.Also run SAS, and post that log http://filehippo.com/download_superantispyware/
Stick to one thread,otherwise people get confused

What is SAS?

SuperAntiSpyware

SUPERantispyware

Ran MBAM and fixed threats - here is the report:

Malwarebytes’ Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600

6/20/2009 5:51:51 PM
mbam-log-2009-06-20 (17-51-51).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 160654
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ran SAS and fixed what it said to fix. It didn’t/couldn’t get rid of everything. Here’s the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2009 at 06:40 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 00:46:26

Memory items scanned : 372
Memory threats detected : 0
Registry items scanned : 4602
Registry threats detected : 12
File items scanned : 17612
File threats detected : 1

Adware.VX2 Transponder Variant
HKLM\Software\Classes\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32#ThreadingModel
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\ProgID
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\Programmable
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\TypeLib
HKCR\CLSID{00000580-C637-11D5-831C-00105AD6ACF0}\VersionIndependentProgID
HKCR\MSView.MSViewObj.1
HKCR\MSView.MSViewObj
HKCR\TypeLib{11CC62B9-65F8-4A8B-B33F-5DE4E838442D}
C:\WINDOWS\MSVIEW.DLL

Here is the HijackThis log after running both MBAM and SAS:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:33 PM, on 6/20/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1242394866&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
O4 - HKLM..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe “Default”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htmÿ
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

When trying to remove the rest of the objects with SUPERAntiSpyware I get the error message below:

Microsoft Visual C++ Runtime Library

Runtime Error!

Program: c:\Program Files\SUPERAntiSpyware\ SUPERAntiSpyware.exe

R6025

  • pure virtual function call

Then SUPERAntiSpyware just exits out.

Thanks for any assistance!

Navigate to C:\WINDOWS\System32\kegbtdvr.exe, send kegbtdvr.exe to virustotal, and post the results please

http://www.virustotal.com/

Here is the reults from VirusTotal. FYI I could not find a KEGBTDVR.EXE anywhere in system32. The closest I could find was KEGBTDVR.EXE-31359DD3.pf and it was in windows\Prefetch. Here are the results for that file:

File KEGBTDVR.EXE-31359DD3.pf received on 2009.06.21 00:21:48 (UTC)
Current status: finished
Result: 0/41 (0%)
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.21 -
AhnLab-V3 5.0.0.2 2009.06.20 -
AntiVir 7.9.0.193 2009.06.20 -
Antiy-AVL 2.0.3.1 2009.06.19 -
Authentium 5.1.2.4 2009.06.20 -
Avast 4.8.1335.0 2009.06.20 -
AVG 8.5.0.339 2009.06.20 -
BitDefender 7.2 2009.06.21 -
CAT-QuickHeal 10.00 2009.06.19 -
ClamAV 0.94.1 2009.06.20 -
Comodo 1381 2009.06.20 -
DrWeb 5.0.0.12182 2009.06.21 -
eSafe 7.0.17.0 2009.06.18 -
eTrust-Vet 31.6.6570 2009.06.19 -
F-Prot 4.4.4.56 2009.06.20 -
F-Secure 8.0.14470.0 2009.06.19 -
Fortinet 3.117.0.0 2009.06.19 -
GData 19 2009.06.21 -
Ikarus T3.1.1.59.0 2009.06.21 -
Jiangmin 11.0.706 2009.06.20 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.21 -
McAfee 5652 2009.06.20 -
McAfee+Artemis 5652 2009.06.20 -
McAfee-GW-Edition 6.7.6 2009.06.20 -
Microsoft 1.4803 2009.06.20 -
NOD32 4174 2009.06.20 -
Norman 6.01.09 2009.06.19 -
nProtect 2009.1.8.0 2009.06.20 -
Panda 10.0.0.16 2009.06.20 -
PCTools 4.4.2.0 2009.06.20 -
Prevx 3.0 2009.06.21 -
Rising 21.34.52.00 2009.06.20 -
Sophos 4.42.0 2009.06.20 -
Sunbelt 3.2.1858.2 2009.06.20 -
Symantec 1.4.4.12 2009.06.21 -
TheHacker 6.3.4.3.350 2009.06.20 -
TrendMicro 8.950.0.1094 2009.06.20 -
VBA32 3.12.10.7 2009.06.21 -
ViRobot 2009.6.19.1796 2009.06.19 -
VirusBuster 4.6.5.0 2009.06.20 -
Additional information
File size: 17636 bytes
MD5…: 8162cb3478c45c7436ef6717edb2fb52
SHA1…: 3e6748bbb1b8c051a841173a0029d115985fbe33
SHA256: c977b373b05d1a69ee91142ab375bc5ada4bdd72d683eed4bb12df55aed0f254
ssdeep: 192:8dd4NdSbSbmJ3yM2yhwPYHi0hKVh8FUkjXTRlB2Hexl0maOGC2wk3CraO:83
UO4mJ3yM2yhFiwoh8h/2HCnAj3I
PEiD…: -
TrID…: File type identification
Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
PEInfo: -
PDFiD.: -
RDS…: NSRL Reference Data Set

Run HJT again, choose scan only.fix O4 - HKLM..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
reboot

Run SAS and MBAM again, and post the log,thank you

This is the old HJT. You need to download 2.0.2 from Trend Secure. So uninstall the old one first, install 2.0.2, and post a fresh new HJT log.

I don’t think it will make much difference, do you ?

Especially if they are running Windows without any Service Packs.

There doesn’t appear to be much practical difference (for diagnosis purposes) between HjT 1.99 and 2.02.
Regarding your seriously out of date Windows, why?
You’re still using a non-patched version, and using IE6.
There actually isn’t a lot of point in trying to delete malware from this PC if you aren’t going to patch it. It will be like trying to keep water out of a roof full of holes. You’ll get sick of moving the buckets.
I’d get SP1, then get SP3, which can be installed on a XP SP1 system, then get the subsequent Ms updates.

[b]Infected In Twenty Minutes[/b] Scott Granneman, 2004-08-19

What normally happens within twenty minutes? That’s how long your average unprotected PC running Windows XP, fresh out of the box, will last once it’s connected to the Internet.

http://www.securityfocus.com/columnists/262

Windows XP Service Pack 2 CD:
https://om2.one.microsoft.com/opa/CASearch.aspx?StoreID=d7a098f4-4034-4ccb-a785-9e890e6b4f5b&LocaleCode=en-us

Windows XP Service Pack 3 CD:
http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx