PDA

View Full Version : Need help please. Virtumonde malware


Australia
2007-09-12, 22:22
Hi!
I have been troubled by pop ads that have slowed down my computer and has significantly reduced my work productivity.

Posted below are my log files. Any help will be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:42 PM, on 09/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\wex4962\EMCliSrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\wex4962\emmeter.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\meenganj\Start Menu\Programs\Startup\MSOFFICE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\meenganj\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scvwd.gov/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EMMeter] C:\WINNT\system32\wex4962\EMMeter.exe /quiet
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MSOffice] rundll32.exe "C:\WINNT\fccyxu.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: MSOFFICE.EXE (User 'Default user')
O4 - .DEFAULT User Startup: MSOFFICE.EXE (User 'Default user')
O4 - Startup: MSOFFICE.EXE
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.scvwd.gov/CFIDE/classes/CFJava.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/22125704258b9e6a2604/netzip/RdxIE601.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - http://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://srvoas.scvwd.gov:7778/forms90/jinitiator/jinit.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vocus.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scvwd.gov
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scvwd.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scvwd.gov
O20 - AppInit_DLLs: c:\winnt\system32\jkhecaa.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: proc500 - C:\WINNT\SYSTEM32\proc500.dll
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: EMCliSrv - Express Metrix - C:\WINNT\system32\wex4962\EMCliSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe

--
End of file - 7544 bytes
steamwiz
2007-09-13, 01:05
Hi

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

Keep running vundofix untill it gives you the message "no infected files were found"

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

C:\vundofix.txt
C:\ComboFix.txt
a new hijackthis log (run after the 2 above programs)

steam
tashi
2007-09-21, 23:27
Australia, same day response from helper. :spider:

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.