PDA

View Full Version : virtumonde



andrew_brown
2008-06-03, 18:11
erm, i think i've been asked to post this here...not really sure what i'm doing tho...

Hi, im having a problem with spyware or adware, and pop ups etc, and i think its virtumonde, cause i've run spybot s&d loads of times now and it keeps finding virtumonde, but when i try to delete it the programe just freezes. ive tried to run it in safe mode and the same thing happens. ive also tried running ComboFix and going back to restoration points, and tried SUPERantispyware but none of these are doing anything. can anyone please help?? I have a log report from ComboFix I think but don't really know what to do with it?? thanks.

tashi
2008-06-03, 18:23
Hello,


If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288).


But first! Read the BEFORE YOU POST PROCEDURE. It should give you a clear idea of the instructions and what you should be doing.
http://forums.spybot.info/showthread.php?t=28982

Another sticky topic: Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806) ;)

You can skip the Spybot-S&D scan, but helpers will need to see the HJT log.

Start a new topic providing the log/s requested, then I will close this one as helpers look for threads without a response.

Regards. :)

andrew_brown
2008-06-03, 18:32
Is this the log??



ComboFix 08-05-29.1 - Andrew Brown 2008-06-02 19:35:56.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Andrew Brown\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\myglobalsearch
C:\WINDOWS\BM8f93ec8d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\cru629.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aevqlxaf.exe
C:\WINDOWS\system32\avhlhvam.ini
C:\WINDOWS\system32\cnvtmcdo.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\cthayqhv.dll
C:\WINDOWS\system32\ddcCSIXp.dll
C:\WINDOWS\system32\dFrnx05
C:\WINDOWS\system32\dFrnx05\dFrnx051080.exe
C:\WINDOWS\system32\eabmsmqu.dll
C:\WINDOWS\system32\eqydmrnq.ini
C:\WINDOWS\system32\fqhxottg.dll
C:\WINDOWS\system32\gisgkinf.dll
C:\WINDOWS\system32\guewjcbk.exe
C:\WINDOWS\system32\hhacnsbk.dll
C:\WINDOWS\system32\hmdirotk.exe
C:\WINDOWS\system32\kqmgkjjt.ini
C:\WINDOWS\system32\kuympuxx.dll
C:\WINDOWS\system32\laogrpaj.exe
C:\WINDOWS\system32\lltojoyj.dll
C:\WINDOWS\system32\LTtDLRqr.ini
C:\WINDOWS\system32\LTtDLRqr.ini2
C:\WINDOWS\system32\mavhlhva.dll
C:\WINDOWS\system32\mlJYOfca.dll
C:\WINDOWS\system32\pqknfikf.ini
C:\WINDOWS\system32\pxhkwabm.exe
C:\WINDOWS\system32\pXISCcdd.ini
C:\WINDOWS\system32\qhnfhcqh.exe
C:\WINDOWS\system32\rltfcyho.dll
C:\WINDOWS\system32\tbgnjvet.exe
C:\WINDOWS\system32\tbxguavt.dll
C:\WINDOWS\system32\univrs32.dat
C:\WINDOWS\system32\vhqyahtc.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 19:16 . 2008-06-02 19:16 92,160 --a------ C:\WINDOWS\system32\gjbxqhau.dll
2008-06-02 19:15 . 2008-06-02 19:15 277,504 --a------ C:\WINDOWS\system32\rqRLDtTL.dll
2008-06-02 18:33 . 2008-06-02 18:38 <DIR> d-------- C:\RECYCLER(3)
2008-05-31 17:56 . 2008-06-02 18:41 <DIR> d--hs---- C:\RECYCLER(2)
2008-05-31 01:31 . 2008-06-02 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-29 23:52 . 2008-05-29 23:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-29 23:51 . 2008-05-29 23:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 17:29 . 2008-05-29 17:29 92,160 --a------ C:\WINDOWS\system32\gguwinap.dll
2008-05-29 17:25 . 2008-05-29 17:25 92,160 --a------ C:\WINDOWS\system32\nsvptivp.dll
2008-05-28 15:04 . 2008-05-28 15:04 92,160 --a------ C:\WINDOWS\system32\upnjbowl.dll
2008-05-27 21:26 . 2008-05-27 21:26 92,160 --a------ C:\WINDOWS\system32\dvtnmmjk.dll
2008-05-27 15:10 . 2008-05-27 15:09 406 --ahs---- C:\WINDOWS\system32\hydleava.ini
2008-05-27 14:47 . 2008-05-27 14:47 1,414,757 --ahs---- C:\WINDOWS\system32\hydleava.tmp
2008-05-27 00:52 . 2008-05-13 22:43 370,688 --a------ C:\WINDOWS\system32\fccddccc.dll_old
2008-05-27 00:52 . 2008-05-26 20:09 117,824 --a------ C:\WINDOWS\system32\vaqriovs.dll_old
2008-05-26 23:42 . 2008-05-26 23:42 92,160 --a------ C:\WINDOWS\system32\sgtauolv.dll
2008-05-26 21:41 . 2008-05-28 23:24 720 --a------ C:\WINDOWS\wininit.ini
2008-05-26 20:23 . 2008-06-02 19:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 20:23 . 2008-06-02 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 18:24 . 2008-05-26 19:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-13 22:43 . 2008-05-26 22:46 178 --ahs---- C:\WINDOWS\system32\cccddccf.ini
2008-05-13 17:44 . 2008-05-30 21:45 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-02 17:41 --------- d-----w C:\Program Files\Google
2008-06-02 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-06-02 12:37 --------- d-----w C:\Program Files\SPSS
2008-05-26 21:34 --------- d-----w C:\Program Files\BearShare
2008-05-26 20:37 --------- d-----w C:\Program Files\VVSN
2008-05-26 18:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 22:04 --------- d-----w C:\Documents and Settings\Andrew Brown\Application Data\FrostWire
2008-04-15 17:27 --------- d-----w C:\Program Files\Java
2008-04-13 12:28 --------- d-----w C:\Program Files\GiPo@Utilities
2008-04-13 12:28 --------- d-----w C:\Program Files\Common Files\Gibinsoft Shared
2008-04-11 11:42 --------- d-----w C:\Program Files\Yahoo!
2008-04-10 19:05 --------- d-----w C:\Documents and Settings\Andrew Brown\Application Data\Skype
2008-04-10 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{395E1DBA-B3E1-4FB6-A092-04014ABD1944}]
C:\WINDOWS\system32\fccddccc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F0FBC50-5C3F-421B-97D1-EACB214E69BC}]
2008-06-02 19:15 277504 --a------ C:\WINDOWS\system32\rqRLDtTL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
2008-06-02 19:16 92160 --a------ C:\WINDOWS\system32\gjbxqhau.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 14:51 68856]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"mount.exe"="C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 16:17 374272]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 19:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 19:43 688218]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-01-11 08:33 143360 C:\WINDOWS\system32\VTTrayp.exe]
"STDSB"="C:\WINDOWS\system32\drivers\STDSB.exe" [2003-12-17 17:50 28672]
"Icon"="C:\WINDOWS\system32\drivers\Icon.exe" [2005-08-23 16:51 221184]
"SoundMan"="SOUNDMAN.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-24 21:48 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 21:56 98304]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"McafWelcome"="C:\Program Files\McAfee.com\Agent\mcwelcom.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 17:16 212992]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 17:17 999424]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49 294912]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05 1117184]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 17:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 17:50 1603152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-05-15 19:31:00 233472]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-05-23 14:17:04 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2006-04-30 15:17:01 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-04-30 15:17:02 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 19:48:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\SoftwareDistribution\Download\c286b650f35378bdc0c45de56f787772\update\update.exe
.
**************************************************************************
.
Completion time: 2008-06-02 20:13:56 - machine was rebooted [Andrew Brown]
ComboFix-quarantined-files.txt 2008-06-02 19:13:32
ComboFix2.txt 2008-06-02 15:04:43
ComboFix3.txt 2008-05-30 21:34:03

Pre-Run: 4,871,991,296 bytes free
Post-Run: 4,318,375,936 bytes free

217 --- E O F --- 2008-04-12 10:48:59

tashi
2008-06-03, 19:41
Hello,

No that is the ComboFix log, which we ask people not to run unless asked for.

Please start a new topic as requested above and copy paste the HJT log into that.

Best regards.