PDA

View Full Version : Virtumonde ruining my comp =(



Nintc
2008-07-19, 12:58
Yep I got Virtumonde and for some reason my virus scanner didn't pick it up I knew something was wrong so I tried doing a bunch of other scans learned it was Virtumonde when I ran spy bot. all my attempts to get thing thing off my comp have failed every time spy bot deletes it it comes right back when I reboot.

You will see at reboot a bunch of dos prompts flying up and before you know it my background changes and its trying to add a fake virus scanning software to my comp

I have ran spy bot in safe mode rebooted then ran the hijackthis so here's the log any help you guys can give me will be greatly appreciated.

just so you know a little bit about my comp
I have my hard drive partitioned in 3 with windows installed in C: temp internet files In D: and mass storage/everything else in E:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:55 AM, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lphc3c7j0ej7c.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Veoh Networks\Veoh\VeohClient.exe
E:\Program Files\Uniblue2\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\OpenOffice.org 2.3\program\soffice.exe
E:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 196.207.15.201:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\iiffEvUL.dll (file missing)
O2 - BHO: {e3eaf534-3bc8-f03a-0214-b28b68107f19} - {91f70186-b82b-4120-a30f-8cb3435fae3e} - C:\WINDOWS\system32\wlouht.dll
O2 - BHO: (no name) - {BC56D3FB-982A-481D-8B85-8B325F6105FF} - C:\WINDOWS\system32\rqRLdCUL.dll (file missing)
O2 - BHO: (no name) - {D6BBD2F1-E816-4FDF-AD55-5E7CA8FB3C0B} - C:\WINDOWS\system32\wvUOiGxv.dll (file missing)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [18690c6f] rundll32.exe "C:\WINDOWS\system32\eheoehht.dll",b
O4 - HKLM\..\Run: [lphc3c7j0ej7c] C:\WINDOWS\system32\lphc3c7j0ej7c.exe
O4 - HKLM\..\Run: [BM1b5a3ff3] Rundll32.exe "C:\WINDOWS\system32\wnoynxna.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7074] command /c del "C:\WINDOWS\system32\iiffEvUL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4803] cmd /c del "C:\WINDOWS\system32\iiffEvUL.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA922] command /c del "C:\WINDOWS\system32\rqRLdCUL.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6428] cmd /c del "C:\WINDOWS\system32\rqRLdCUL.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA194] command /c del "C:\WINDOWS\system32\wnoynxna.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3821] cmd /c del "C:\WINDOWS\system32\wnoynxna.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "E:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\Program Files\Uniblue2\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD8523] cmd /c del "C:\WINDOWS\system32\iiffEvUL.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4005] command /c del "C:\WINDOWS\system32\rqRLdCUL.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7744] cmd /c del "C:\WINDOWS\system32\rqRLdCUL.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5557] command /c del "C:\WINDOWS\system32\wnoynxna.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6141] cmd /c del "C:\WINDOWS\system32\wnoynxna.dll_old"
O4 - Startup: OpenOffice.org 2.3.lnk = E:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194689098625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216370041578
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCAF069C-085E-412B-8B89-68F6FFD1E15F}: NameServer = 68.87.75.194,68.87.64.146
O20 - Winlogon Notify: iiffEvUL - iiffEvUL.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8989 bytes

Nintc
2008-07-20, 10:52
well I got it fixed through my own means so I'm posting this just so you guys know and don't have to go through the log any more you guys can close the thread :red: