PDA

View Full Version : Another Virtumonde



Greycat
2008-07-27, 18:34
Guys

I've read through some of your posts and am indeed very impressed... And worried.
I also have a PC infected with Virtumonde and I think I may have caused more damage by trying to remove it myself. Please help!

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:40 PM, on 27/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\lvhidsvc.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\System32\nvsvc32.exe
d:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Drivers\WTSRV.EXE
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\WTClient.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\COMODO\SafeSurf\cssurf.exe
D:\Program Files\COMODO\Firewall\cfp.exe
D:\PROGRA~1\Comodo\CBOClean\BOC426.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
D:\Program Files\DS Clock\DSClock.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SEC\Natural Color Pro\NCProTray.exe
D:\WINDOWS\twain_32\S6U12BX\WATCH.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "D:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-426] D:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] D:\Documents and Settings\Jan\winlogon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4232] command /c del "D:\WINDOWS\system32\ssqOGwUO.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6803] cmd /c del "D:\WINDOWS\system32\ssqOGwUO.dll"
O4 - HKCU\..\Run: [WeatherWatcher] D:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [SIDEBAR] "D:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [UIWatcher] D:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DS Clock] "D:\Program Files\DS Clock\DSClock.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Thunderbird] D:\Program Files\Mozilla Thunderbird\thunderbird.exe -mail
O4 - HKCU\..\Run: [Firefox] D:\Program Files\Mozilla Firefox\firefox.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Watch.lnk = D:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - D:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - D:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: NMIndexingService - Unknown owner - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - d:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - D:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 8487 bytes

Thanks

Shaba
2008-07-29, 08:29
Hi Greycat

Rename HijackThis.exe to Greycat.exe and post back a fresh HijackThis log, please :)

Shaba
2008-08-03, 12:17
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.