PDA

View Full Version : Virtumonde also :(



argoon
2008-01-19, 04:35
I have already scanned 5 times the PC with S-SD and virtumonde is always found.

Here is my hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 2:30:57, on 19/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Programas\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\Packard Bell Data Secure\PBDataSecure.exe
C:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\Programas\OpenOffice.org 2.3\program\soffice.exe
C:\Programas\stickies\stickies.exe
C:\Programas\OpenOffice.org 2.3\program\soffice.BIN
C:\Programas\HandyCafe\Server\hndserver.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Disco_D\windows_software\ramdom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTDVDDET] C:\Programas\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Programas\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programas\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programas\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [XboxStat] "C:\Programas\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Programas\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Programas\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programas\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programas\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Stickies.lnk = C:\Programas\stickies\stickies.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programas\bonjour\mdnsnsp.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Shaba
2008-01-20, 12:35
Hi argoon and welcome to Safer Networking Forums

Please post spybot report next.

argoon
2008-01-21, 00:09
Hi tanks for the reply here is the report.


Virtumonde: [SBI $1F8EC695] Configurações (Chave do registo, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

DoubleClick: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


Statcounter: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


HitsLink: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)


WebTrends live: [SBI $61F39AC8] Cookie de rastreamento (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2008-01-19 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2008-01-16 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-01-16 Includes\DialerC.sbi (*)
2008-01-16 Includes\HeavyDuty.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-16 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2008-01-16 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-16 Includes\Malware.sbi (*)
2008-01-16 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-16 Includes\PUPSC.sbi (*)
2008-01-16 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-01-16 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2008-01-16 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-01-16 Includes\Trojans.sbi (*)
2008-01-16 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

Shaba
2008-01-21, 12:26
Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR]

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

Re-scan with spybot and tell me if it still finds it?

argoon
2008-01-21, 18:41
its gone!! :bigthumb: Thanks

Shaba
2008-01-21, 19:43
Hi

Nice to hear :)

Let's run next one online scan:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Shaba
2008-01-26, 12:27
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.