PDA

View Full Version : Virtumonde and smithfraud-c



Shiroc
2008-11-25, 06:08
I believe I have both virtumond and smithfraud on my computer, at least.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:33 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Stephen Gibson\Desktop\Download\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcdmon.exe] "C:\Program Files\Lexmark 6300 Series\lxcdmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jgsyilkbluw] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\gceeglbgfhzmgrtu.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Stephen Gibson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Stephen Gibson\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171751041076
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: bnuthx.dll,C:\WINDOWS\system32\tobirugo.dll gnmnsi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcd_device - Unknown owner - C:\WINDOWS\system32\lxcdcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 5764 bytes











Here's the Kaspersky log:



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 24, 2008 19:40:58
Records in database: 1409941
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\

Scan statistics:
Files scanned: 102257
Threat name: 14
Infected objects: 26
Suspicious objects: 1
Duration of the scan: 02:46:06


File name / Threat name / Threats count
winlogon.exe\mlJYrqoL.dll/winlogon.exe\mlJYrqoL.dll Infected: Trojan.Win32.Monderb.gjo 1
C:\WINDOWS\system32\mlJYrqoL.dll/C:\WINDOWS\system32\mlJYrqoL.dll Infected: Trojan.Win32.Monderb.xer 2
C:\Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcDsRjk.dll.vir Infected: Trojan.Win32.Agent.anyk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcyWOGA.dll.vir Infected: Trojan.Win32.Monderb.xer 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rswnw64n.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqPiffE.dll.vir Infected: Trojan.Win32.Agent.anyk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\urqOHWqq.dll.vir Infected: Trojan.Win32.Monderb.xer 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\urqRHyab.dll.vir Infected: Trojan.Win32.Monderb.xer 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yayaaWoP.dll.vir Infected: Trojan.Win32.Monderb.xer 1
C:\WINDOWS\system32\ID2\CRAFE913.exe Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\WINDOWS\system32\ID2\CRAFE913.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\WINDOWS\system32\mlJYrqoL.dll Infected: Trojan.Win32.Monderb.xer 1
C:\WINDOWS\system32\ssqqnNfe.dll Infected: Trojan.Win32.Monderb.xer 1
C:\WINDOWS\system32\~.exe Infected: Trojan.Win32.Agent.aoyc 1
D:\Backup\mail\Inbox.dbx Infected: Email-Worm.Win32.Tanatos.b.dam 1
D:\Backup\mail\Inbox.dbx Infected: not-a-virus:NetTool.Win32.Calc-FoldingAtHome 1
D:\bigtransfer\Outlook.pst Infected: Email-Worm.Win32.Tanatos.b.dam 1
D:\bigtransfer\Outlook.pst Infected: not-a-virus:NetTool.Win32.Calc-FoldingAtHome 1
D:\bigtransfer\outlookpost\Outlook.pst Infected: Email-Worm.Win32.Tanatos.b.dam 1
D:\bigtransfer\outlookpost\Outlook.pst Infected: not-a-virus:NetTool.Win32.Calc-FoldingAtHome 1
D:\Files and Patches\Programs and Shareware\overnet0.49.exe Infected: not-a-virus:AdWare.Win32.Ucmore.a 1
D:\Files and Patches\Programs and Shareware\overnet0.49.exe Infected: not-a-virus:AdWare.Win32.Ucmore 1
D:\Files and Patches\Programs and Shareware\samuziq1.5.zip Suspicious: Trojan-Downloader.JS.gen 1
D:\Files and Patches\Programs and Shareware\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\New Folder\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

The selected area was scanned.

Shaba
2008-11-27, 11:27
Hi Shiroc

I see that you have ran ComboFix. It is not meant to be run without supervision.

Create own folder for HijackThis to Desktop and move it to that folder.

Rename HijackThis.exe to Shiroc.exe and post back a fresh HijackThis log, please :)

Shaba
2008-12-02, 15:51
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.