PDA

View Full Version : Help - Please Reply - Virtumonde, etc infections



storeyline
2008-07-25, 21:58
I need your help! My computer is infected with these viruses (Virtumonde, Smitfraud) those are just the ones I know about and I have no idea what to do. Your help is desperately needed. Thank You.

Here is my HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:31 AM, on 7/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\lxdccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: AVG Safe Search - {1C1B8A44-61FE-411E-8F33-813A4E2E2984} - C:\WINDOWS\System32\AVIRAS~1.DLL
O2 - BHO: (no name) - {2BF98F47-2AFF-43D3-8D9E-EC84BCDC3F5B} - (no file)
O2 - BHO: (no name) - {2F8BF994-F0EA-4A73-B6BA-EF93DBE16B63} - C:\WINDOWS\System32\nnnkIbbY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A3AFBB4-3119-49FE-9DA8-407FE5F7211C} - C:\WINDOWS\System32\wvUnNecY.dll (file missing)
O2 - BHO: (no name) - {680DBEE8-B862-4B3B-9A3B-3F6DD618BA25} - C:\WINDOWS\System32\mlJBSlLc.dll (file missing)
O2 - BHO: {598346fe-7fe5-e33b-0974-23b0c83932a6} - {6a23938c-0b32-4790-b33e-5ef7ef643895} - C:\WINDOWS\System32\adnpuc.dll
O2 - BHO: scriptproxy - {6D0386B3-FD72-488E-9740-90355AE21735} - C:\WINDOWS\System32\diga32.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iifcDWol.dll
O2 - BHO: (no name) - {74C466E9-2FC5-43D7-8560-FE4362A2A30E} - C:\WINDOWS\System32\rqRIyWqP.dll (file missing)
O2 - BHO: (no name) - {9E2C792A-1249-49BC-B1E3-27E1C7061905} - C:\WINDOWS\System32\iiffGWMe.dll (file missing)
O2 - BHO: (no name) - {A7DAFB2E-E95B-4F23-B681-90C8040E5A96} - C:\WINDOWS\System32\qoMdBSmN.dll (file missing)
O2 - BHO: (no name) - {E135EFEB-9E21-4EF4-8E24-2EDD98F6C87F} - C:\WINDOWS\System32\opnnnmkk.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdolk.exe] C:\WINDOWS\system32\kdolk.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kddgq.exe] C:\WINDOWS\System32\kddgq.exe
O4 - HKLM\..\Run: [6c129041] rundll32.exe "C:\WINDOWS\System32\xrhdovjk.dll",b
O4 - HKLM\..\Run: [BM6f21a3dd] Rundll32.exe "C:\WINDOWS\System32\kyjheqcs.dll",s
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Admin.ANGIES\cftmon.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2607] command /c del "C:\WINDOWS\system32\mlJBSlLc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2887] cmd /c del "C:\WINDOWS\system32\iifcDWol.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA542] command /c del "C:\WINDOWS\system32\iifcDWol.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5051] command /c del "C:\WINDOWS\system32\kyjheqcs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7712] cmd /c del "C:\WINDOWS\system32\kyjheqcs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Admin.ANGIES\cftmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9380] command /c del "C:\WINDOWS\system32\mlJBSlLc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4642] cmd /c del "C:\WINDOWS\system32\mlJBSlLc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6749] command /c del "C:\WINDOWS\system32\iifcDWol.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3800] cmd /c del "C:\WINDOWS\system32\iifcDWol.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1935] command /c del "C:\WINDOWS\system32\kyjheqcs.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3328] cmd /c del "C:\WINDOWS\system32\kyjheqcs.dll_old"
O4 - HKUS\S-1-5-21-790525478-920026266-1708537768-1003\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'angela storey')
O4 - HKUS\S-1-5-21-790525478-920026266-1708537768-1003\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'angela storey')
O4 - HKUS\S-1-5-21-790525478-920026266-1708537768-1003\..\Run: [autoload] C:\Documents and Settings\angela storey\cftmon.exe (User 'angela storey')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-790525478-920026266-1708537768-1003 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'angela storey')
O4 - S-1-5-21-790525478-920026266-1708537768-1003 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'angela storey')
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D25CCBC-ECB6-4AD7-ACEB-15FACE35C238}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ECE3F59-2495-49E1-9F9C-DD73ACCF6C6E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D25CCBC-ECB6-4AD7-ACEB-15FACE35C238}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D25CCBC-ECB6-4AD7-ACEB-15FACE35C238}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O20 - Winlogon Notify: iifcDWol - C:\WINDOWS\SYSTEM32\iifcDWol.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - - C:\WINDOWS\System32\lxdccoms.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--

tashi
2008-07-26, 04:40
Hello storeyline,

Your topic is here: http://forums.spybot.info/showthread.php?t=31514

Please do not start a new one for the same computer.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Regards.