Virtumonde, can't get rid of it [Archive]

View Full Version : Virtumonde, can't get rid of it

BananaJoe

2007-09-05, 11:53

I've tried:

-Spybot
-VundoFix
-VirtumundoBeGone
-McAfee Viruscan
-Ad-Aware
-My own hacking

Nothing gets rid of Virtumonde definetely . Help please !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:37:15, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WIND\System32\smss.exe
C:\WIND\system32\winlogon.exe
C:\WIND\system32\services.exe
C:\WIND\system32\lsass.exe
C:\WIND\system32\Ati2evxx.exe
C:\WIND\system32\svchost.exe
C:\WIND\System32\svchost.exe
C:\WIND\system32\Ati2evxx.exe
C:\WIND\system32\spoolsv.exe
C:\WIND\SOUNDMAN.EXE
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
C:\WIND\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Bob\Dados de aplicativos\tmp35.tmp.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\ARQUIV~1\McAfee\MSC\mcregist.exe
C:\WIND\system32\wscntfy.exe
C:\ARQUIV~1\mcafee\msc\mcuimgr.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WIND\explorer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\arquivos de programas\mcafee\virusscan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {ac06f367-7357-4925-bf45-3a814d48737b} - C:\WIND\system32\dsprig.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WIND\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WIND\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Arquivos de programas\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: c:\wind\system32\jkhffff.dll
O20 - Winlogon Notify: dsprig - C:\WIND\SYSTEM32\dsprig.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WIND\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WIND\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Bob\Dados de aplicativos\tmp35.tmp.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

--
End of file - 6104 bytes

ken545

2007-09-05, 18:55

Hello BananaJoe

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

This is important.
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe <-- Right click on the Hijackthis Icon ( looks like a man with a spyglass ) and rename it to Scanner.exe <-- Don't forget the .exe .

Let me see the Combofix log and a new HJT log with it renamed please.

BananaJoe

2007-09-06, 23:23

Thanks, i have no signs of virtumonde after doing of what you said but i'm afraid it will back soon(happened before with other tools), here are the logs:

ComboFix 07-08-30.3 - "Bob" 2007-09-06 17:54:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.110 [GMT -3:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ADMINI~1\DADOSD~1\macromedia\Flash Player\#SharedObjects\WGT5HCAL\www.broadcaster.com
C:\DOCUME~1\ADMINI~1\DADOSD~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Bob\DADOSD~1\tmp16.tmp.exe
C:\WIND\cookies.ini
C:\WIND\iifcyw.dll
C:\WIND\system32\awtqp.exe
C:\WIND\system32\awtsr.exe
C:\WIND\system32\awtss.exe
C:\WIND\system32\dn446db0ca.dat
C:\WIND\system32\dsprig.dll
C:\WIND\system32\geeby.exe
C:\WIND\system32\jkhffff.dll
C:\WIND\system32\jkkjh.exe
C:\WIND\system32\mljgf.exe
C:\WIND\system32\mlljg.exe
C:\WIND\system32\pmkjj.exe
C:\WIND\system32\ssqro.exe
C:\WIND\system32\ssqrq.exe
C:\WIND\system32\vtsqo.exe
C:\WIND\system32\vturr.exe
C:\WIND\WebAssist.dll
C:\WIND\wycfii.ini
C:\WIND\xhelper.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))

2007-09-06 17:47 51,200 --a------ C:\WIND\nircmd.exe
2007-09-05 08:15 <DIR> d-------- C:\WIND\ERUNT
2007-09-05 06:35 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2007-09-03 17:20 92,783 --a------ C:\WIND\system32\msasext.dll.vir
2007-09-03 10:38 92,747 --a------ C:\WIND\system32\kertss.dll.vir
2007-09-02 20:55 92,688 --a------ C:\WIND\system32\mljos1.dll.vir
2007-08-30 20:15 92,760 --a------ C:\WIND\system32\kbdrig.dll.vir
2007-08-30 18:45 92,760 --a------ C:\WIND\system32\kbddsp.dll.vir
2007-08-30 17:59 92,760 --a------ C:\WIND\system32\l3c400.dll.vir
2007-08-30 09:03 92,760 --a------ C:\WIND\system32\mprdui.dll.vir
2007-08-29 17:22 <DIR> d-------- C:\VundoFix Backups
2007-08-29 09:14 92,778 --a------ C:\WIND\system32\kbdtil.dll.vir
2007-08-14 10:24 <DIR> d-------- C:\Arquivos de programas\Windows Media Connect 2
2007-08-14 10:22 <DIR> d-------- C:\WIND\system32\drivers\UMDF
2007-08-12 22:50 33,824 --a------ C:\WIND\system32\drivers\oreans32.sys
2007-08-09 20:51 84,744 --a------ C:\WIND\system32\drivers\mfeavfk.sys
2007-08-09 20:51 37,800 --a------ C:\WIND\system32\drivers\mfesmfk.sys
2007-08-09 20:51 33,896 --a------ C:\WIND\system32\drivers\mfebopk.sys
2007-08-09 20:51 31,560 --a------ C:\WIND\system32\drivers\mferkdk.sys
2007-08-09 20:51 161,768 --a------ C:\WIND\system32\drivers\mfehidk.sys
2007-08-09 20:51 104,024 --a------ C:\WIND\system32\drivers\Mpfp.sys
2007-08-09 20:49 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\McAfee
2007-08-09 20:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\McAfee
2007-08-09 20:47 <DIR> d-------- C:\ANTIVIRUS TEMP
2007-08-09 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\ParetoLogic Anti-Spyware
2007-08-09 19:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\Lavasoft
2007-08-09 19:10 <DIR> d-------- C:\Arquivos de programas\Lavasoft
2007-08-09 19:09 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2007-08-09 09:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\Spybot - Search & Destroy

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 17:26 --------- d-a------ C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\TEMP
2007-09-01 09:25 --------- d-------- C:\Arquivos de programas\Lineage II C4
2007-08-24 19:19 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\WinZip
2007-08-24 10:39 --------- d-------- C:\Arquivos de programas\eMule
2007-08-11 09:20 --------- d--h----- C:\Arquivos de programas\InstallShield Installation Information
2007-08-10 08:07 --------- d-------- C:\Arquivos de programas\McAfee
2007-07-30 19:19 92504 --a------ C:\WIND\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WIND\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WIND\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WIND\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WIND\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WIND\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WIND\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WIND\system32\wups.dll
2007-07-18 11:26 --------- d-------- C:\Arquivos de programas\nero BURN
2007-07-17 15:39 --------- d-------- C:\Arquivos de programas\Arquivos comuns\SWF Studio
2007-07-12 01:55 --------- d-------- C:\DOCUME~1\Bob\DADOSD~1\Azureus
2007-07-11 21:30 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\DADOSD~1\Azureus
2007-07-11 21:30 --------- d-------- C:\Arquivos de programas\Azureus 2
2007-07-11 21:29 --------- d-------- C:\Arquivos de programas\Azureus
2007-07-04 00:33 22592 --a------ C:\WIND\system32\JFGuM82A.exe
2007-06-26 03:10 1104896 --a------ C:\WIND\system32\msxml3.dll
2007-06-19 10:31 282112 --a------ C:\WIND\system32\gdi32.dll
2007-06-13 16:25 339968 --a------ C:\WIND\system32\ATIDEMGX.dll
2007-06-13 16:24 268288 --a------ C:\WIND\system32\ati2dvag.dll
2007-06-13 16:23 307200 --a------ C:\WIND\system32\atiiiexx.dll
2007-06-13 16:17 42496 --a------ C:\WIND\system32\ati2edxx.dll
2007-06-13 16:17 26112 --a------ C:\WIND\system32\Ati2mdxx.exe
2007-06-13 16:17 139264 --a------ C:\WIND\system32\atipdlxx.dll
2007-06-13 16:17 118784 --a------ C:\WIND\system32\Oemdspif.dll
2007-06-13 16:16 118784 --a------ C:\WIND\system32\ati2evxx.dll
2007-06-13 16:15 483328 --a------ C:\WIND\system32\ati2evxx.exe
2007-06-13 16:14 53248 --a------ C:\WIND\system32\ATIDDC.DLL
2007-06-13 16:10 8097792 --a------ C:\WIND\system32\atioglx2.dll
2007-06-13 16:07 2922208 --a------ C:\WIND\system32\ati3duag.dll
2007-06-13 15:57 1512960 --a------ C:\WIND\system32\ativvaxx.dll
2007-06-13 15:46 5431296 --a------ C:\WIND\system32\atioglxx.dll
2007-06-13 15:43 262144 --a------ C:\WIND\system32\atikvmag.dll
2007-06-13 15:42 17408 --a------ C:\WIND\system32\atitvo32.dll
2007-06-13 15:41 50176 --a------ C:\WIND\system32\atiok3x2.dll
2007-06-13 15:36 368640 --a------ C:\WIND\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WIND\system32\ati2sgag.exe
2007-06-13 10:21 1035264 --a------ C:\WIND\explorer.exe
2006-01-05 17:03 450560 --a------ C:\DOCUME~1\ADMINI~1\Project1.exe
2005-01-10 09:50 5945283 --a------ C:\DOCUME~1\ADMINI~1\Update.exe
2003-01-03 16:26 2911450 --a------ C:\DOCUME~1\ADMINI~1\PROLOJA.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 11:50 C:\WIND\SOUNDMAN.EXE]
"StartCCC"="C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" []
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="C:\WIND\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WIND\system32\ctfmon.exe" [2004-08-04 00:45]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"igndlm.exe"="C:\Arquivos de programas\IGN\Download Manager\DLM.exe" [2007-03-05 13:57]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 oreans32;oreans32;\??\C:\WIND\system32\drivers\oreans32.sys

Contents of the 'Scheduled Tasks' folder
2007-08-15 06:31:44 C:\WIND\Tasks\McDefragTask.job - C:\WIND\system32\defrag.exe
2007-09-01 04:04:43 C:\WIND\Tasks\McQcTask.job - c:\arquivos de programas\mcafee\mqc\QcConsol.exe
2007-09-04 21:00:01 C:\WIND\Tasks\Pareto UNS.job - C:\Arquivos de programas\Arquivos comuns\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 18:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 18:16:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 18:15

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:59, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WIND\System32\smss.exe
C:\WIND\system32\winlogon.exe
C:\WIND\system32\services.exe
C:\WIND\system32\lsass.exe
C:\WIND\system32\Ati2evxx.exe
C:\WIND\system32\svchost.exe
C:\WIND\System32\svchost.exe
C:\WIND\system32\Ati2evxx.exe
C:\WIND\Explorer.EXE
C:\WIND\system32\spoolsv.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\WIND\SOUNDMAN.EXE
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
C:\WIND\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\WIND\system32\wscntfy.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\ARQUIV~1\McAfee\MSC\mcregist.exe
C:\WIND\system32\wuauclt.exe
C:\WIND\system32\notepad.exe
C:\ARQUIV~1\mcafee\msc\mcuimgr.exe
C:\Arquivos de programas\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\arquivos de programas\mcafee\virusscan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WIND\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WIND\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Arquivos de programas\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WIND\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WIND\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WIND\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

--
End of file - 5543 bytes

ken545

2007-09-07, 01:25

Your log looks fine :bigthumb: There are a few entries on your Combofix log I am unsure of so will be back in a bit.

How is your system running now??

BananaJoe

2007-09-07, 12:58

Hi, seems that it is finally gone!!One day later and two reboots and virtumonde is not back!!

If it returns(i doubt) i will post here again.

Thanks a lot!!!

ken545

2007-09-07, 13:16

Good Morning,

Even though the worst part of the infection is gone, there are some leftover files that are questionable.

What I would like you to do is to just pick any two of the listed files and upload them for analysis.

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Go to Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to this file

C:\WIND\system32\msasext.dll
C:\WIND\system32\kertss.dll
C:\WIND\system32\mljos1.dll
C:\WIND\system32\kbdrig.dll
C:\WIND\system32\kbddsp.dll
C:\WIND\system32\l3c400.dll
C:\WIND\system32\mprdui.dll
C:\WIND\system32\kbdtil.dll

Then click on upload and it will give you a report, post the report in your next reply.

Let me see the report and it will decide if we should remove these files.

ken545

2007-09-07, 16:05

Joe,

Think positive, been at this for 4 years or so and have not lost one yet.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

C:\WIND\system32\msasext.dll
C:\WIND\system32\kertss.dll
C:\WIND\system32\mljos1.dll
C:\WIND\system32\kbdrig.dll
C:\WIND\system32\kbddsp.dll
C:\WIND\system32\l3c400.dll
C:\WIND\system32\mprdui.dll
C:\WIND\system32\kbdtil.dll
C:\WIND\system32\msasext.dll.vir
C:\WIND\system32\kertss.dll.vir
C:\WIND\system32\mljos1.dll.vir
C:\WIND\system32\kbdrig.dll.vir
C:\WIND\system32\kbddsp.dll.vir
C:\WIND\system32\l3c400.dll.vir
C:\WIND\system32\mprdui.dll.vir
C:\WIND\system32\kbdtil.dll.vir

Folders to delete:

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

tashi

2007-09-17, 16:59

BananaJoe

5) Final Run:
Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper. :eek:
http://forums.spybot.info/showpost.php?p=1150&postcount=2