PDA

View Full Version : Virtumonde Spyware again...pls help


conjulian
2008-05-27, 02:15
Please help me out with this problem. Really would like to remove this virtumonde and virtumonde.dll. After scanning and removing using spybot, it keeps coming back as soon as i log in and open IE, it's already a waste of time doing scan and fis everytime.

Here's my HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:21 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Notes\ntmulti.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Notes\NLNOTES.EXE
C:\Notes\ntaskldr.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jpaa.apcc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0E91C6E6-78F4-41EA-ADA6-59AD257BE445} - C:\WINDOWS\system32\yayaWPIy.dll (file missing)
O2 - BHO: {4f2e2438-03cb-eada-00e4-e73d8c6ce7b1} - {1b7ec6c8-d37e-4e00-adae-bc308342e2f4} - C:\WINDOWS\system32\xnkeubcu.dll
O2 - BHO: (no name) - {38A24B7E-3BF0-463A-9D46-BC7F102B28B5} - C:\WINDOWS\system32\rqRlmjJc.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {E4B824DC-9426-47E8-B08D-F33D67A52A59} - C:\WINDOWS\system32\jkkHWMed.dll (file missing)
O2 - BHO: (no name) - {E707216F-6AFF-4BD4-962D-EC5CDBA812A1} - C:\WINDOWS\system32\yayYPgDu.dll
O2 - BHO: (no name) - {E7A70E63-275E-4A85-80EF-62783114D8B3} - C:\WINDOWS\system32\khfEUoPH.dll (file missing)
O2 - BHO: (no name) - {E7E5E15A-A3A9-480A-B165-E9E4CE2D0208} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dc828f8f] rundll32.exe "C:\WINDOWS\system32\riwmpgvn.dll",b
O4 - HKLM\..\Run: [BMdfb1bc13] Rundll32.exe "C:\WINDOWS\system32\ejqoorqt.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Proventia Desktop Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://jpaa.apcc.com
O15 - Trusted Zone: http://emea2.apc.com
O15 - Trusted Zone: http://emeasametime.apc.com
O15 - Trusted Zone: http://emeasametime.emea.apc.com
O15 - Trusted Zone: http://intouch.apc.com
O15 - Trusted Zone: http://jpaa-en.apc.com
O15 - Trusted Zone: http://jupiter.apc.com
O15 - Trusted Zone: http://jupiter1.apc.com
O15 - Trusted Zone: http://jupiter2.apc.com
O15 - Trusted Zone: http://jupiter4.apc.com
O15 - Trusted Zone: http://lam-en.apc.com
O15 - Trusted Zone: http://lam-es.apc.com
O15 - Trusted Zone: http://namsametime.apc.com
O15 - Trusted Zone: http://namsametime.ams.apc.com
O15 - Trusted Zone: http://order1.apc.com
O15 - Trusted Zone: http://trojan.apc.com
O15 - Trusted Zone: http://trojan3.apc.com
O15 - Trusted Zone: http://emea2.apcc.com
O15 - Trusted Zone: http://emeasametime.apcc.com
O15 - Trusted Zone: http://intouch.apcc.com
O15 - Trusted Zone: http://jupiter.apcc.com
O15 - Trusted Zone: http://jupiter1.apcc.com
O15 - Trusted Zone: http://jupiter2.apcc.com
O15 - Trusted Zone: http://jupiter4.apcc.com
O15 - Trusted Zone: http://namsametime.apcc.com
O15 - Trusted Zone: http://order1.apcc.com
O15 - Trusted Zone: http://trojan.apcc.com
O15 - Trusted Zone: http://trojan3.apcc.com
O15 - Trusted Zone: http://conextproducts.custhelp.com
O15 - Trusted Zone: http://*.emeasametime
O15 - Trusted Zone: http://*.namsametime
O15 - Trusted Zone: http://emea-cs.apc.com (HKLM)
O15 - Trusted Zone: http://emea-de.apc.com (HKLM)
O15 - Trusted Zone: http://emea-en.apc.com (HKLM)
O15 - Trusted Zone: http://emea-es.apc.com (HKLM)
O15 - Trusted Zone: http://emea-fr.apc.com (HKLM)
O15 - Trusted Zone: http://emea-it.apc.com (HKLM)
O15 - Trusted Zone: http://emea-pl.apc.com (HKLM)
O15 - Trusted Zone: http://emea2.apc.com (HKLM)
O15 - Trusted Zone: http://emeasametime.emea.apc.com (HKLM)
O15 - Trusted Zone: http://intouch.apc.com (HKLM)
O15 - Trusted Zone: http://jpaa-en.apc.com (HKLM)
O15 - Trusted Zone: http://jupiter.apc.com (HKLM)
O15 - Trusted Zone: http://jupiter1.apc.com (HKLM)
O15 - Trusted Zone: http://jupiter2.apc.com (HKLM)
O15 - Trusted Zone: http://jupiter4.apc.com (HKLM)
O15 - Trusted Zone: http://lam-en.apc.com (HKLM)
O15 - Trusted Zone: http://lam-es.apc.com (HKLM)
O15 - Trusted Zone: http://nam-en.apc.com (HKLM)
O15 - Trusted Zone: http://namsametime.ams.apc.com (HKLM)
O15 - Trusted Zone: http://order1.apc.com (HKLM)
O15 - Trusted Zone: http://siebel78.ams.apc.com (HKLM)
O15 - Trusted Zone: http://trojan.apc.com (HKLM)
O15 - Trusted Zone: http://trojan3.apc.com (HKLM)
O15 - Trusted Zone: http://emea2.apcc.com (HKLM)
O15 - Trusted Zone: http://intouch.apcc.com (HKLM)
O15 - Trusted Zone: http://jupiter.apcc.com (HKLM)
O15 - Trusted Zone: http://jupiter1.apcc.com (HKLM)
O15 - Trusted Zone: http://jupiter2.apcc.com (HKLM)
O15 - Trusted Zone: http://jupiter4.apcc.com (HKLM)
O15 - Trusted Zone: http://order1.apcc.com (HKLM)
O15 - Trusted Zone: http://trojan.apcc.com (HKLM)
O15 - Trusted Zone: http://trojan3.apcc.com (HKLM)
O15 - Trusted Zone: http://conextproducts.custhelp.com (HKLM)
O15 - Trusted Zone: http://*.emeasametime (HKLM)
O15 - Trusted Zone: http://*.namsametime (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4571C6A3-CB9E-11D0-BDE2-0000F4B02CED} (Cincom Rich Client) - http://configurator.apc.com/products/powerstruxure/configurator/shared/cabs/attarxinf.cab
O16 - DPF: {54ACA3E0-63F2-4B76-9709-A32581F93FA8} (Siebel High Interactivity Framework) - http://siebel78.ams.apc.com/asp_eng/19230/applets/SiebelAx_HI_Client.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208283993421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208241405281
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asp.apc.com
O17 - HKLM\Software\..\Telephony: DomainName = asp.apc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asp.apc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ams.apc.com,asp.apc.com,emea.apc.com,apc.com,apcc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ams.apc.com,asp.apc.com,emea.apc.com,apc.com,apcc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayYPgDu - C:\WINDOWS\SYSTEM32\yayYPgDu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 15071 bytes
Rorschach112
2008-05-27, 03:12
Hello

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.