PDA

View Full Version : Help! a familiar cry...Virtumonde


anadin
2008-04-10, 11:53
Its got me, heres the HJT & Kapersky....any help appreciated...thanks in advance...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:06, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG7\avgwa.dat
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\jkkKCtsQ.dll
O2 - BHO: (no name) - {4671D6D9-113C-4647-9610-F844C8C88903} - C:\WINDOWS\system32\wvUoMccY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DFBD3845-5811-453E-94CA-82781DAA659A} - C:\WINDOWS\system32\ljJButRK.dll (file missing)
O2 - BHO: (no name) - {ED7120B4-2C2D-445D-9312-0930DBED09C3} - C:\WINDOWS\system32\khfCuRkH.dll (file missing)
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7631] command /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3558] cmd /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8321] command /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9510] cmd /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3032] command /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3857] cmd /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9989] command /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7560] cmd /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old"
O4 - HKUS\S-1-5-21-1957994488-527237240-839522115-1003\..\RunOnce: [SpybotDeletingB3032] command /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old" (User '?')
O4 - HKUS\S-1-5-21-1957994488-527237240-839522115-1003\..\RunOnce: [SpybotDeletingD3857] cmd /c del "C:\WINDOWS\SYSTEM32\nnnoPHbC.dll_old" (User '?')
O4 - HKUS\S-1-5-21-1957994488-527237240-839522115-1003\..\RunOnce: [SpybotDeletingB9989] command /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old" (User '?')
O4 - HKUS\S-1-5-21-1957994488-527237240-839522115-1003\..\RunOnce: [SpybotDeletingD7560] cmd /c del "C:\WINDOWS\SYSTEM32\ljJButRK.dll_old" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150284765597
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167327693234
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS5\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS6\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS7\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS8\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS9\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS10\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS11\Services\Tcpip\..\{3613F62D-7DCD-45D8-88DF-EF58BDAD4DFA}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkKCtsQ - C:\WINDOWS\SYSTEM32\jkkKCtsQ.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7026 bytes
anadin
2008-04-10, 12:20
Sorry cant get to online scan either in IE or F/Fox
Blade81
2008-04-13, 17:36
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Blade81
2008-04-20, 23:51
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.