PDA

View Full Version : Help with virtomundo



akapero
2008-06-10, 22:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:23:56 p.m., on 10/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\esclavo.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Google\Google Talk\googletalk.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
C:\Archivos de programa\Supreme Office Suite3.0\user\program\soffice.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\CONEXION CENTER\Escritorio\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=15370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 201.217.17.140 l2.juegosonline.com.py
O1 - Hosts: 201.217.17.140 l2testauthd.lineage2.com
O1 - Hosts: 201.217.17.140 l2authd.lineage2.com
O1 - Hosts: 201.217.17.140 nprotect.lineage2.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\ARCHIV~1\MASSDO~1\MDHELPER.DLL (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [googletalk] "C:\Archivos de programa\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Supreme Office Suite 3.0.lnk = C:\Archivos de programa\Supreme Office Suite3.0\user\program\quickstart.exe
O4 - Global Startup: Búsqueda en el escritorio de Windows.lnk = C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Descargar &Todo usando Mass Downloader - C:\Archivos de programa\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Descargar usando &Mass Downloader - C:\Archivos de programa\Mass Downloader\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cargador del Terminal (escSrv) - Unknown owner - C:\WINDOWS\system32\escsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Programador de LiveUpdate automático - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Archivos de programa\Windows Live\installer\WLSetupSvc.exe

--
End of file - 8250 bytes
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 10, 2008 13:33:01
Records in database: 845725
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
Z:\

Scan statistics:
Files scanned: 87465
Threat name: 11
Infected objects: 30
Suspicious objects: 0
Duration of the scan: 01:40:06


File name / Threat name / Threats count
C:\Archivos de programa\Eset\infected\3HEO4MBA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\5BMLIYDA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\AZQ2MDAA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\CHV35VBA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\GYJWDEBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.yhx 1
C:\Archivos de programa\Eset\infected\LTJRXGBA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\PNDSQPDA.NQF Infected: Trojan.Win32.Monder.gen 1
C:\Archivos de programa\Eset\infected\ZBXP5KBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu 1
C:\Documents and Settings\User\Configuración local\Archivos temporales de Internet\Content.IE5\EGG2LIEN\kb456456[2] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Archivos temporales de Internet\Content.IE5\EGG2LIEN\kb516107[2] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Archivos temporales de Internet\Content.IE5\HMBYA32D\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tsj 1
C:\Documents and Settings\User\Configuración local\Archivos temporales de Internet\Content.IE5\VSTLSLZF\kb456456[1] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Archivos temporales de Internet\Content.IE5\VSTLSLZF\kb456456[3] Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\djoaudbe.dll Infected: Trojan.Win32.Agent.reo 1
C:\Documents and Settings\User\Configuración local\Temp\dxdklbgw.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\efCTJyyv.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\ehfrscie.dll Infected: Trojan.Win32.Agent.rep 1
C:\Documents and Settings\User\Configuración local\Temp\fvnhvgnw.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\IHA985.tmp Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\IHABD1.tmp Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\jbupbtrn.dll Infected: Trojan.Win32.Monder.le 1
C:\Documents and Settings\User\Configuración local\Temp\kjomuqrx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqf 1
C:\Documents and Settings\User\Configuración local\Temp\njwnfneb.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\nvmlgjnx.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\qdijfrhm.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\vjrlrwjb.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\woldgyne.dll Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\User\Configuración local\Temp\xyttlmya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd 1
C:\Documents and Settings\User\Mis documentos\Downloads\ARES ULTRA 3.5.0.0 FULL RETAIL with Registered ID.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.tsv 1
C:\WINDOWS\system32\CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows 1

Thttp://forums.spybot.info/images/smilies/euro.gif
:euro:he selected area was scanned.

pskelley
2008-06-11, 18:27
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Looks like you have a Vundo infection, but you also have this junk:
http://www.bleepingcomputer.com/startups/CSRCS.EXE-13520.html
http://www.sophos.com/security/analyses/viruses-and-spyware/w32spybotei.html

W32/Spybot-EI runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

and this: C:\WINDOWS\system32\esclavo.exe <<< do you know it?
http://www.google.com/search?hl=en&q=esclavo.exe&btnG=Search
It is likely very bad also, I believe to be safe, you need this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

akapero
2008-06-11, 22:57
I put the computer off line. I do not have any sensytive info but I still think it best to reformat. It will be a good learning experience.Thank you.

pskelley
2008-06-12, 00:24
I understand your decision, I would have to do the same and I do have sensitive information and do online banking, etc. Here is some information that may help.

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.