PDA

View Full Version : Help with Virtumonde


econtrerasd
2008-08-31, 21:26
Hi, I'm asking for some insight on how to remove Virtumonde, I received a friend's laptop which had a lot of trojans, all of which I have been able to clean with the exception of Virtuamonde

Here is the log from HijackThis, can you help me figure this out?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:20:26 p.m., on 31/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\Windows\SMINST\scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\CTPdeSrv.exe
C:\Users\Usuario\Documents\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.t1msn.com.mx/0SEESMX/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prodigy.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://prodigy.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.t1msn.com.mx/0SEESMX/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {3656A6D3-3EEF-4FCA-A0C8-F437779F7AA6} - C:\Windows\system32\pmnNfDTK.dll
O2 - BHO: (no name) - {4ED576A0-EBAB-4741-8D12-3F3ABC7A1877} - C:\Windows\system32\bidisp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {387828f9-3f5c-0d2a-3044-b7388acb4998} - {8994bca8-837b-4403-a2d0-c5f39f828783} - C:\Windows\system32\gdebba.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Data Tracker - {AF3A4E11-2F63-35EF-D6BC-F3646308105D} - C:\Windows\system32\gowtae32.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E979CC7D-5AF0-49C4-959C-5353CFAD5E3F} - C:\Windows\system32\bidisp.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: qalkfxor - {D5EA3C8B-5074-4C2E-A15E-37AA47C40AA8} - C:\Windows\qalkfxor.dll (file missing)
O4 - HKLM\..\Run: [\VIE74C1.exe] C:\Windows\System32\VIE74C1.exe
O4 - HKLM\..\Run: [\VIE79A1.exe] C:\Windows\System32\VIE79A1.exe
O4 - HKLM\..\Run: [\VIE7BF2.exe] C:\Windows\System32\VIE7BF2.exe
O4 - HKLM\..\Run: [\VIE57C.exe] C:\Windows\System32\VIE57C.exe
O4 - HKLM\..\Run: [\VIEFE2C.exe] C:\Windows\System32\VIEFE2C.exe
O4 - HKLM\..\Run: [\VIEFEA8.exe] C:\Windows\System32\VIEFEA8.exe
O4 - HKLM\..\Run: [\VIE206B.exe] C:\Windows\System32\VIE206B.exe
O4 - HKLM\..\Run: [\VIE79B1.exe] C:\Windows\System32\VIE79B1.exe
O4 - HKLM\..\Run: [\VIE8A83.exe] C:\Windows\System32\VIE8A83.exe
O4 - HKLM\..\Run: [\VIE91A4.exe] C:\Windows\System32\VIE91A4.exe
O4 - HKLM\..\Run: [\VIEA3BD.exe] C:\Windows\System32\VIEA3BD.exe
O4 - HKLM\..\Run: [\VIE1074.exe] C:\Windows\System32\VIE1074.exe
O4 - HKLM\..\Run: [\VIE5C81.exe] C:\Windows\System32\VIE5C81.exe
O4 - HKLM\..\Run: [\VIE1D11.exe] C:\Windows\System32\VIE1D11.exe
O4 - HKLM\..\Run: [\VIE1D20.exe] C:\Windows\System32\VIE1D20.exe
O4 - HKLM\..\Run: [\VIE2338.exe] C:\Windows\System32\VIE2338.exe
O4 - HKLM\..\Run: [\VIE9B83.exe] C:\Windows\System32\VIE9B83.exe
O4 - HKLM\..\Run: [\VIEE3E8.exe] C:\Windows\System32\VIEE3E8.exe
O4 - HKLM\..\Run: [\VIE8F5.exe] C:\Windows\System32\VIE8F5.exe
O4 - HKLM\..\Run: [\VIE84A9.exe] C:\Windows\System32\VIE84A9.exe
O4 - HKLM\..\Run: [\VIE4088.exe] C:\Windows\System32\VIE4088.exe
O4 - HKLM\..\Run: [\VIEC3CB.exe] C:\Windows\System32\VIEC3CB.exe
O4 - HKLM\..\Run: [\VIEDF46.exe] C:\Windows\System32\VIEDF46.exe
O4 - HKLM\..\Run: [\VIE7196.exe] C:\Windows\System32\VIE7196.exe
O4 - HKLM\..\Run: [\VIE8CA5.exe] C:\Windows\System32\VIE8CA5.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [\VIE74C1.exe] C:\Windows\System32\VIE74C1.exe
O4 - HKCU\..\Run: [\VIE79A1.exe] C:\Windows\System32\VIE79A1.exe
O4 - HKCU\..\Run: [\VIE7BF2.exe] C:\Windows\System32\VIE7BF2.exe
O4 - HKCU\..\Run: [\VIE57C.exe] C:\Windows\System32\VIE57C.exe
O4 - HKCU\..\Run: [\VIEFE2C.exe] C:\Windows\System32\VIEFE2C.exe
O4 - HKCU\..\Run: [\VIEFEA8.exe] C:\Windows\System32\VIEFEA8.exe
O4 - HKCU\..\Run: [\VIE206B.exe] C:\Windows\System32\VIE206B.exe
O4 - HKCU\..\Run: [\VIE79B1.exe] C:\Windows\System32\VIE79B1.exe
O4 - HKCU\..\Run: [\VIE8A83.exe] C:\Windows\System32\VIE8A83.exe
O4 - HKCU\..\Run: [\VIE91A4.exe] C:\Windows\System32\VIE91A4.exe
O4 - HKCU\..\Run: [\VIEA3BD.exe] C:\Windows\System32\VIEA3BD.exe
O4 - HKCU\..\Run: [\VIE1074.exe] C:\Windows\System32\VIE1074.exe
O4 - HKCU\..\Run: [\VIE5C81.exe] C:\Windows\System32\VIE5C81.exe
O4 - HKCU\..\Run: [\VIE1D11.exe] C:\Windows\System32\VIE1D11.exe
O4 - HKCU\..\Run: [\VIE1D20.exe] C:\Windows\System32\VIE1D20.exe
O4 - HKCU\..\Run: [\VIE2338.exe] C:\Windows\System32\VIE2338.exe
O4 - HKCU\..\Run: [\VIE9B83.exe] C:\Windows\System32\VIE9B83.exe
O4 - HKCU\..\Run: [\VIEE3E8.exe] C:\Windows\System32\VIEE3E8.exe
O4 - HKCU\..\Run: [\VIE8F5.exe] C:\Windows\System32\VIE8F5.exe
O4 - HKCU\..\Run: [\VIE84A9.exe] C:\Windows\System32\VIE84A9.exe
O4 - HKCU\..\Run: [\VIE4088.exe] C:\Windows\System32\VIE4088.exe
O4 - HKCU\..\Run: [\VIEC3CB.exe] C:\Windows\System32\VIEC3CB.exe
O4 - HKCU\..\Run: [\VIEDF46.exe] C:\Windows\System32\VIEDF46.exe
O4 - HKCU\..\Run: [\VIE7196.exe] C:\Windows\System32\VIE7196.exe
O4 - HKCU\..\Run: [\VIE8CA5.exe] C:\Windows\System32\VIE8CA5.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Servicio de red')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar imagen al dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Enviar página al dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldes-mx.cab
O16 - DPF: {BD4F7A6D-0107-4BDF-B72B-021B717B06CE} - http://scanner.msscanner.com/setup/setup.cab
O20 - AppInit_DLLs: APSHook.dll gdebba.dll
O21 - SSODL: pdoskegl - {FFFE288A-319B-4D1F-8695-5F9703800ECB} - C:\Windows\pdoskegl.dll (file missing)
O21 - SSODL: rqbmvpso - {F7615356-2D84-4158-BE14-55983E0B4907} - C:\Windows\rqbmvpso.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.EXE
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Programador de LiveUpdate automático - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 15040 bytes

Thanks in Advance!
Shaba
2008-09-02, 15:19
Hi econtrerasd

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Right-click on SmitfraudFix.exe and click on Run as administrator
Click Allow
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Shaba
2008-09-07, 11:19
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.