PDA

View Full Version : Virtumonde and Smitfraude can't be fixed


rebeca10s
2008-01-12, 12:40
Hello,

I believe I've followed instruction with regards to the Kaspersky Scan and Spybot S&D. I've run Spybot in both safe mode and normal windows numerous times and it appears to have worked well in removing various malware and hijackers(Command, C2 Lop, CAS). However, Virtumonde and Smitfraud trojans continue to be found and have yet to be cleaned. Unfortunately when I try to open HiJackthis exe, an application error message appears saying the "instruction at '0x100511f3' referenced memory at '0x00000000'. The memory could not be 'read'." and it won't finish, so I can't thus far provide a log for you from HJT. The Kaspersky Scan is pasted below. Can you help?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 5:30:02 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507550
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 30885
Number of viruses found: 29
Number of infected objects: 88
Number of suspicious objects: 0
Duration of the scan process: 00:53:12

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\drivers\core.sys Object is locked skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\awtropm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\F3\n553.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINNT\system32\dwdsregt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINNT\system32\urqolll.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\mmdsregp.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINNT\system32\fccbbya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\f02WtR\f02WtR1065.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINNT\system32\khfgheb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\kwinnndt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\WINNT\system32\vtuustr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\khfcbax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINNT\system32\iifcaxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\WINNT\system32\kwinnndq.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINNT\system32\mljkjii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\WINNT\system32\ardCo01\ardCo011065.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\WINNT\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\system32\sh2.bat Infected: Trojan.BAT.Passer.a skipped
C:\WINNT\system32\sh3.bat Infected: Trojan.BAT.Passer.a skipped
C:\WINNT\system32\Perflib_Perfdata_4f0.dat Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\sam Object is locked skipped
C:\WINNT\system32\config\security Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINNT\CSC\d2\00000011 Object is locked skipped
C:\WINNT\CSC\d2\000000D9 Object is locked skipped
C:\WINNT\CSC\d3\00000012 Object is locked skipped
C:\WINNT\CSC\d4\00000013 Object is locked skipped
C:\WINNT\CSC\d5\00000014 Object is locked skipped
C:\WINNT\CSC\d5\0000008C Object is locked skipped
C:\WINNT\CSC\d8\00000017 Object is locked skipped
C:\WINNT\CSC\d8\0000001F Object is locked skipped
C:\WINNT\CSC\d8\00000087 Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\CSC\00000003 Object is locked skipped
C:\WINNT\CSC\00000002 Object is locked skipped
C:\WINNT\browserxtras\pn\remove.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\WINNT\browserxtras\pn\remove.exe NSIS: infected - 1 skipped
C:\WINNT\DLP.dll Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\WINNT\NDNuninstall4_80.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\TISKY009.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINNT\pltyedj.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINNT\NDNuninstall5_40.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\NDNuninstall5_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\pltyedjA.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\WINNT\NDNuninstall5_64.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\mrofinu.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped
C:\WINNT\ltvow0578.exe Infected: Trojan-Downloader.Win32.Small.fgr skipped
C:\WINNT\NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINNT\cuqqo0578.exe Infected: not-a-virus:AdWare.Win32.AutoSearch.e skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\WINNT\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{05C56D5A-46A2-46D1-A664-E078B27C71BA}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\kind info.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Intralite.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Hold army.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\4 site.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Cdrom Base.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Internet Regs.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\RULEBASE.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Hide wma.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\BindVga.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\All Users\Application Data\Once Wma Grim Support\Dvdscr.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Local Settings\Temp\tnbbokfm.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Local Settings\Temp\sta36.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Local Settings\Temp\ca29e48e.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Desktop\ITS.exe/stream/data0028 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Desktop\ITS.exe/stream/data0075 Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Desktop\ITS.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Desktop\ITS.exe NSIS: infected - 3 skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\MathAxisAbout.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\grghnlhd.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\Campbrowsebuildante.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\DATE BOLD DOWNLOAD.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\pcxvaxmv.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\nljhzcxx.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\hanljhzc.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\btvdnrsj.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\buckdjmz.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\ctefgdum.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\bmnvzozq.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\wnfdzrmh.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\hahyxpog.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\aahveseu.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\lquwlnjn.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\jmtcsfet.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\free time\iqcvyajp.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\Application Data\Soft Surf Coal\encref.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Documents and Settings\Rebeccah\Desktop\rebeccah\rduvoisi\Local Settings\Temp\_update.dat Infected: Trojan-Spy.Win32.Agent.l skipped
C:\Documents and Settings\duvoisin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\duvoisin\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Temporary Internet Files\Content.IE5\KBGFI3O3\search[1].htm Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Temp\~DF2073.tmp Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\History\History.IE5\MSHist012008011120080112\index.dat Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\duvoisin\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\AVICodecPackPlus2.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\AVICodecPackPlus2.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\AVICodecPackPlus2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\duvoisin\My Documents\download\beccisbest\DivXPro511Adware.exe NSIS: infected - 2 skipped
C:\Documents and Settings\duvoisin\Cookies\index.dat Object is locked skipped
C:\Program Files\Common Files\WіnSxS\lsass.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\Program Files\NetMeeting\pronykaby.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Adverts\uninst.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Program Files\ITS\programs\remove.new.net.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\ITS\programs\ps\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Program Files\ITS\programs\backups\backup-20050924-135432-124.dll Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Program Files\GOtoolbar.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\Program Files\GOtoolbar.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.e skipped
C:\Program Files\GOtoolbar.exe NSIS: infected - 2 skipped

Scan process completed.

Please advise for the next step
ken545
2008-01-12, 15:55
Hello Rebecca

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen

It looks like you may have the latest version of the Vundo Trojan that includes a file infector, what this trojan does is places an infected file into one or more of your programs. I need you to run both these programs , it will tell us more, then after you run them, download and install the latest version of HJT by Trendmicro, I need to see the log, can't do to much without it. If you have the earlier version of HJT 1.99.1 then uninstall it via the Add Remove Programs in the Control Panel.


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall




Download
Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop, double click it to install, follow the prompts
and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe





Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the
Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or
even required.



I need to see the following....

1. Vundiofix log
2. Combofix log
3. Hijackthis log by Trendmicro