malware taking over Yahoo search - MBAM report

[kengar70]

Here is the MBAM log file:

Malwarebytes' Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600

6/20/2009 10:36:49 AM
mbam-log-2009-06-20 (10-36-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 160949
Time elapsed: 37 minute(s), 15 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\freddy46.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> No action taken.

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcdlbuyxm (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\kegbtdvr.exe (Trojan.FakeAlert.H) -> No action taken.
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> No action taken.
c:\program files\podmena\podmena.sys (Trojan.Agent) -> No action taken.
c:\documents and settings\Default\local settings\Temp\stron_1245117177.exe (Trojan.LdPinch) -> No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\W096W2D1\fb.46[1].exe (Worm.Koobface) -> No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\pdrv[1].exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Default\local settings\temporary internet files\Content.IE5\SZ8ENGOM\install[3].exe (Rogue.SystemSecurity) -> No action taken.
c:\documents and settings\Default\Desktop\install.exe (Rogue.SystemSecurity) -> No action taken.
c:\system volume information\_restore{f6a55a90-a77a-40a4-a5bf-35438f2bf3fc}\RP548\A0154530.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\pp10.exe (Malware.Trace) -> No action taken.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) -> No action taken.
c:\documents and settings\Default\Cookies\MM2048.DAT (Trojan.Agent) -> No action taken.
c:\documents and settings\Default\Cookies\MM256.DAT (Trojan.Agent) -> No action taken.
C:\WINDOWS\ld09.exe (Backdoor.Bot) -> No action taken.
c:\WINDOWS\SYSTEM32\stuffit5.engine-5.1.dll (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> No action taken.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) -> No action taken.
c:\WINDOWS\zaponce53198.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> No action taken.

Thanks for any help you can give!

[micky77]

Run MBAM again, this time, fix the threats found. Then reboot,run mbam again,( quick scan ) post a log, post a HJT log.Also run SAS, and post that log http://filehippo.com/download_superantispyware/
Stick to one thread,otherwise people get confused

[kengar70]

What is SAS?

[micky77]

SuperAntiSpyware

[Lisandro]

SUPERantispyware

[kengar70]

Ran MBAM and fixed threats - here is the report:

Malwarebytes' Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600

6/20/2009 5:51:51 PM
mbam-log-2009-06-20 (17-51-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 160654
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[kengar70]

Ran SAS and fixed what it said to fix.  It didn't/couldn't get rid of everything.  Here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2009 at 06:40 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type       : Complete Scan
Total Scan Time : 00:46:26

Memory items scanned      : 372
Memory threats detected   : 0
Registry items scanned    : 4602
Registry threats detected : 12
File items scanned        : 17612
File threats detected     : 1

Adware.VX2 Transponder Variant
   HKLM\Software\Classes\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\InprocServer32#ThreadingModel
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\ProgID
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\Programmable
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\TypeLib
   HKCR\CLSID\{00000580-C637-11D5-831C-00105AD6ACF0}\VersionIndependentProgID
   HKCR\MSView.MSViewObj.1
   HKCR\MSView.MSViewObj
   HKCR\TypeLib\{11CC62B9-65F8-4A8B-B33F-5DE4E838442D}
   C:\WINDOWS\MSVIEW.DLL

[kengar70]

Here is the HijackThis log after running both MBAM and SAS:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:33 PM, on 6/20/2009
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1242394866&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Default"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htmÿ
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

[kengar70]

When trying to remove the rest of the objects with SUPERAntiSpyware I get the error message below:

Microsoft Visual C++ Runtime Library

Runtime Error!

Program: c:\Program Files\SUPERAntiSpyware\ SUPERAntiSpyware.exe

R6025
-   pure virtual function call

Then SUPERAntiSpyware just exits out.

Thanks for any assistance!

[micky77]

  Navigate to C:\WINDOWS\System32\kegbtdvr.exe, send kegbtdvr.exe to virustotal, and post the results please


http://www.virustotal.com/

[kengar70]

Here is the reults from VirusTotal.  FYI I could not find a KEGBTDVR.EXE anywhere in system32.  The closest I could find was KEGBTDVR.EXE-31359DD3.pf  and it was in windows\Prefetch.  Here are the results for that file:

File KEGBTDVR.EXE-31359DD3.pf received on 2009.06.21 00:21:48 (UTC)
Current status:     finished   
Result: 0/41 (0%)
Antivirus   Version   Last Update   Result
a-squared   4.5.0.18   2009.06.21   -
AhnLab-V3   5.0.0.2   2009.06.20   -
AntiVir   7.9.0.193   2009.06.20   -
Antiy-AVL   2.0.3.1   2009.06.19   -
Authentium   5.1.2.4   2009.06.20   -
Avast   4.8.1335.0   2009.06.20   -
AVG   8.5.0.339   2009.06.20   -
BitDefender   7.2   2009.06.21   -
CAT-QuickHeal   10.00   2009.06.19   -
ClamAV   0.94.1   2009.06.20   -
Comodo   1381   2009.06.20   -
DrWeb   5.0.0.12182   2009.06.21   -
eSafe   7.0.17.0   2009.06.18   -
eTrust-Vet   31.6.6570   2009.06.19   -
F-Prot   4.4.4.56   2009.06.20   -
F-Secure   8.0.14470.0   2009.06.19   -
Fortinet   3.117.0.0   2009.06.19   -
GData   19   2009.06.21   -
Ikarus   T3.1.1.59.0   2009.06.21   -
Jiangmin   11.0.706   2009.06.20   -
K7AntiVirus   7.10.768   2009.06.19   -
Kaspersky   7.0.0.125   2009.06.21   -
McAfee   5652   2009.06.20   -
McAfee+Artemis   5652   2009.06.20   -
McAfee-GW-Edition   6.7.6   2009.06.20   -
Microsoft   1.4803   2009.06.20   -
NOD32   4174   2009.06.20   -
Norman   6.01.09   2009.06.19   -
nProtect   2009.1.8.0   2009.06.20   -
Panda   10.0.0.16   2009.06.20   -
PCTools   4.4.2.0   2009.06.20   -
Prevx   3.0   2009.06.21   -
Rising   21.34.52.00   2009.06.20   -
Sophos   4.42.0   2009.06.20   -
Sunbelt   3.2.1858.2   2009.06.20   -
Symantec   1.4.4.12   2009.06.21   -
TheHacker   6.3.4.3.350   2009.06.20   -
TrendMicro   8.950.0.1094   2009.06.20   -
VBA32   3.12.10.7   2009.06.21   -
ViRobot   2009.6.19.1796   2009.06.19   -
VirusBuster   4.6.5.0   2009.06.20   -
Additional information
File size: 17636 bytes
MD5...: 8162cb3478c45c7436ef6717edb2fb52
SHA1..: 3e6748bbb1b8c051a841173a0029d115985fbe33
SHA256: c977b373b05d1a69ee91142ab375bc5ada4bdd72d683eed4bb12df55aed0f254
ssdeep: 192:8dd4NdSbSbmJ3yM2yhwPYHi0hKVh8FUkjXTRlB2Hexl0maOGC2wk3CraO:83
UO4mJ3yM2yhFiwoh8h/2HCnAj3I
PEiD..: -
TrID..: File type identification
Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set

[micky77]

Run HJT again, choose scan only.fix O4 - HKLM\..\Run: [fhqixzuev] C:\WINDOWS\System32\kegbtdvr.exe
reboot

Run SAS and MBAM again, and post the log,thank you

[Jtaylor83]

Here is the HijackThis log after running both MBAM and SAS:

Logfile of HijackThis v1.99.1

This is the old HJT. You need to download 2.0.2 from Trend Secure. So uninstall the old one first, install 2.0.2, and post a fresh new HJT log.

[micky77]

I don't think it will make much  difference, do you ?

[YoKenny]

I don't think it will make much  difference, do you ?

Especially if they are running Windows without any Service Packs.