PDA

View Full Version : Virtumonde Removal Help


computer-geek
2008-07-14, 20:23
I had several versions of virtumonde on this machine .xae .prx and the main file was ddcddayA.dll. I think that I have it all removed but I need someone smarter than me to evaluate the Combofix log.

Please help
signed
virtumonde kicked my butt...

ComboFix 08-07-13.14 - Orbie 2008-07-14 10:03:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.110 [GMT -7:00]
Running from: C:\Documents and Settings\Orbie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cracrwinz.exe
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\Linda\Application Data\DriveCleaner Free
C:\Documents and Settings\Linda\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Orbie\Application Data\DriveCleaner Free
C:\Documents and Settings\Orbie\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Stacy\Application Data\DriveCleaner Free
C:\Documents and Settings\Stacy\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Steven\Application Data\DriveCleaner Free
C:\Documents and Settings\Steven\Application Data\DriveCleaner Free\Logs\update.log
C:\Program Files\PCPrivacyTool
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aasfpovg.ini
C:\WINDOWS\system32\akpumhfu.ini
C:\WINDOWS\system32\amootqyy.ini
C:\WINDOWS\system32\anpnyhwk.ini
C:\WINDOWS\system32\baGiQXbc.ini
C:\WINDOWS\system32\baGiQXbc.ini2
C:\WINDOWS\system32\bcdNqBeg.ini
C:\WINDOWS\system32\bcdNqBeg.ini2
C:\WINDOWS\system32\BJjQBcdd.ini
C:\WINDOWS\system32\BJjQBcdd.ini2
C:\WINDOWS\system32\bKlSrqru.ini
C:\WINDOWS\system32\bKlSrqru.ini2
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\cberndts.ini
C:\WINDOWS\system32\cewnpvnr.ini
C:\WINDOWS\system32\cuejxper.ini
C:\WINDOWS\system32\deeNqtwa.ini
C:\WINDOWS\system32\deeNqtwa.ini2
C:\WINDOWS\system32\deqdwihy.ini
C:\WINDOWS\system32\dnufoddi.ini
C:\WINDOWS\system32\dpcvmuff.ini
C:\WINDOWS\system32\ektgqqws.ini
C:\WINDOWS\system32\evpxusmg.ini
C:\WINDOWS\system32\ewngumkx.ini
C:\WINDOWS\system32\exvijdey.ini
C:\WINDOWS\system32\feopjhaw.ini
C:\WINDOWS\system32\FhQXayay.ini
C:\WINDOWS\system32\FhQXayay.ini2
C:\WINDOWS\system32\fOYFNqru.ini
C:\WINDOWS\system32\fOYFNqru.ini2
C:\WINDOWS\system32\girvllus.ini
C:\WINDOWS\system32\gpoeckgt.ini
C:\WINDOWS\system32\gurxwiif.ini
C:\WINDOWS\system32\haqfexhb.ini
C:\WINDOWS\system32\hcgoucmj.ini
C:\WINDOWS\system32\hduoxxrh.ini
C:\WINDOWS\system32\HknUuBeg.ini
C:\WINDOWS\system32\HknUuBeg.ini2
C:\WINDOWS\system32\hlekdfra.ini
C:\WINDOWS\system32\hpoemmeo.ini
C:\WINDOWS\system32\htvyevxg.ini
C:\WINDOWS\system32\ihtfsydb.ini
C:\WINDOWS\system32\inxrghlt.ini
C:\WINDOWS\system32\jivktgpf.ini
C:\WINDOWS\system32\jkwfwopk.ini
C:\WINDOWS\system32\JTBbLRqr.ini
C:\WINDOWS\system32\JTBbLRqr.ini2
C:\WINDOWS\system32\krwsitki.ini
C:\WINDOWS\system32\lknTCbeg.ini
C:\WINDOWS\system32\lknTCbeg.ini2
C:\WINDOWS\system32\LopssBeg.ini
C:\WINDOWS\system32\LopssBeg.ini2
C:\WINDOWS\system32\LoXaaGgh.ini
C:\WINDOWS\system32\LoXaaGgh.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhxnyfls.ini
C:\WINDOWS\system32\myihoosq.ini
C:\WINDOWS\system32\ndsufirg.ini
C:\WINDOWS\system32\ngaoyymw.ini
C:\WINDOWS\system32\obxbvcqa.ini
C:\WINDOWS\system32\opjhwvaw.ini
C:\WINDOWS\system32\oqonoben.ini
C:\WINDOWS\system32\pdimjdaj.ini
C:\WINDOWS\system32\pegsntpr.ini
C:\WINDOWS\system32\PorXyFhk.ini
C:\WINDOWS\system32\PorXyFhk.ini2
C:\WINDOWS\system32\prsyjhlu.ini
C:\WINDOWS\system32\QXHjPXbc.ini
C:\WINDOWS\system32\QXHjPXbc.ini2
C:\WINDOWS\system32\rBbbbccf.ini
C:\WINDOWS\system32\rBbbbccf.ini2
C:\WINDOWS\system32\rquhpkva.ini
C:\WINDOWS\system32\rtbfdfsh.ini
C:\WINDOWS\system32\slpbqdge.ini
C:\WINDOWS\system32\smydpwhj.ini
C:\WINDOWS\system32\thntclom.ini
C:\WINDOWS\system32\twvniihw.ini
C:\WINDOWS\system32\uDefPqss.ini
C:\WINDOWS\system32\uDefPqss.ini2
C:\WINDOWS\system32\uklkwyje.ini
C:\WINDOWS\system32\ulfnyrlt.ini
C:\WINDOWS\system32\vbwdbcnt.ini
C:\WINDOWS\system32\vpbwfaca.ini
C:\WINDOWS\system32\wgeiuvel.ini
C:\WINDOWS\system32\wrfoqxjl.ini
C:\WINDOWS\system32\WwwwvGgh.ini
C:\WINDOWS\system32\WwwwvGgh.ini2
C:\WINDOWS\system32\xwvxEfii.ini
C:\WINDOWS\system32\xwvxEfii.ini2
C:\WINDOWS\system32\xxbLRqru.ini
C:\WINDOWS\system32\xxbLRqru.ini2
C:\WINDOWS\system32\ywamqcle.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-12 22:10 . 2008-07-14 10:05 165,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-12 22:10 . 2008-07-12 22:21 2,108 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-12 21:58 . 2008-07-12 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-12 21:58 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-12 21:58 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-07-12 21:58 . 2008-07-12 22:00 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-12 21:57 . 2008-07-12 21:57 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-12 21:56 . 2008-07-14 09:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-12 21:56 . 2008-07-14 09:49 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-07-12 15:23 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-30 13:36 . 2008-06-30 13:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-06-26 19:06 . 2008-06-26 19:06 <DIR> d-------- C:\kav
2008-06-26 11:35 . 2008-07-12 08:38 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-17 15:27 . 2008-06-25 15:39 110,340 --a------ C:\WINDOWS\BMaf7afaae.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-26 22:58 --------- d-----w C:\Program Files\GameHouse
2008-06-26 22:58 --------- d-----w C:\Program Files\EXEtender
2008-06-26 22:58 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2008-06-26 22:58 --------- d-----w C:\Program Files\Classic PhoneTools
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 17:25 --------- d-----w C:\Program Files\Trend Micro
2008-06-12 16:29 7,666 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Config\incstore.bin
2008-05-09 17:07 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2003-01-04 21:20 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-01-11 00:22]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 05:48]

.
Contents of the 'Scheduled Tasks' folder
"2006-06-26 11:44:26 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1150100942.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 10:05:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-14 10:08:27
ComboFix-quarantined-files.txt 2008-07-14 17:07:58

Pre-Run: 105,315,024,896 bytes free
Post-Run: 105,313,619,968 bytes free

185 --- E O F --- 2008-07-13 04:24:31
tashi
2008-07-14, 20:30
Hello,

You appear to have missed our stickie topics:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806 )

Are you posting a customer's machine?

Regards.
computer-geek
2008-07-14, 20:39
This is my machine that I believe was infected several months ago. I have read most of the virtumonde threads and followed the fixes suggested on other posts.
computer-geek
2008-07-14, 20:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:45 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215884617334
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2767 bytes