PDA

View Full Version : VirtuMonde Log file for analysis...



hitech444
2008-06-09, 13:18
Hi,
I have been plaqued by VirtuMonde. I have the log file by Hijack This 2.0.2
Help plz...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:46 μμ, on 9/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\McAfee\ePO\MSSQL7\binn\sqlservr.exe
C:\ePOAgent\naimas32.exe
C:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\McAfee\ePO\2.0\srvmon.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\ePOAgent\naimag32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\My Documents\My Pictures\Picture Package Menu\SonyTray.exe
C:\Program Files\McAfee\ePO\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-kimolia.gr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = srv500se.school500.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.school500.edu;;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\RunServices: [RunAlert] C:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Documents and Settings\Administrator\My Documents\My Pictures\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Documents and Settings\Administrator\Desktop\cameranew\Picture Package Applications\Residence.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\McAfee\ePO\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126016399453
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = school500.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{112EA525-240E-4B06-BFC2-9C8685639983}: Domain = school500.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{112EA525-240E-4B06-BFC2-9C8685639983}: NameServer = 10.67.78.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCC8041-B234-4955-B46E-DF41C23AA34F}: Domain = school500.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCC8041-B234-4955-B46E-DF41C23AA34F}: NameServer = 10.1.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = school500.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = school500.edu
O20 - Winlogon Notify: qomljjhh - qomljjhh.dll (file missing)
O23 - Service: Network Associates Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: McAfee GroupShield Exchange (AVExch32Service) - Network Associates, Inc. - C:\Program Files\McAfee\GroupShield Exchange\i386\AVExch32.exe
O23 - Service: McAfee GroupShield On-Line Update (AVUPDService) - Network Associates, Inc. - C:\Program Files\McAfee\GroupShield Exchange\i386\updsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\ePOAgent\naimas32.exe
O23 - Service: McAfee ePolicy Orchestrator 2.5.1 Server (NAIMSERV2) - Network Associates, Inc. - C:\Program Files\McAfee\ePO\2.0\NAIMSERV.EXE
O23 - Service: McAfee Log Service (Network Associates Log Service) - Network Associates, Inc. - C:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: McAfee Outbreak Manager (Outbreak Manager) - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exe

--
End of file - 8992 bytes

Blade81
2008-06-11, 11:32
Hi


1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)