PDA

View Full Version : Virtumonde wont get off my pc



Terazul
2009-02-23, 08:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:36 AM, on 2/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VIA\RAID\raid_tool.exe
J:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - J:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {AD46AE3B-F7F4-4EBA-B110-15DC671B2CEF} - C:\WINDOWS\system32\xxyvwTMd.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoloSentry] J:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] j:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [GrooveMonitor] "J:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MerlinReportAgent] "C:\Program Files\ATT-HSI\McciBrowser.exe" -appkey=att-nap -hidden -url=file:///C:/Program%20Files/ATT-HSI/ReportAgent.html
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\IDK\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User '?')
O4 - HKUS\S-1-5-21-842925246-1580436667-1801674531-1005\..\Run: [reader_s] C:\Documents and Settings\IDK\reader_s.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB1C300-E415-4333-BDD1-57C486BCAEBD}: NameServer = 192.168.1.254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - J:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: nggtiu.dll
O20 - Winlogon Notify: urqRHaYP - urqRHaYP.dll (file missing)
O22 - SharedTaskScheduler: elat - {ec86e5b0-45f2-45fa-9294-24878aec09f6} - C:\WINDOWS\system32\oyryp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7325 bytes

Shaba
2009-02-24, 18:26
Hi Terazul

I'd like you to check a file for malware.

Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)


C:\WINDOWS\System32\reader_s.exe

Copy/Paste the file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Post back results, please.

Terazul
2009-02-27, 00:58
here is the scan from VirusTotal for the file you requested....


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.26 Trojan-Dropper.Win32.Cutwail!IK
AntiVir 7.9.0.93 2009.02.26 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.26 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.26 Win32:Vitro
AVG 8.0.0.237 2009.02.26 -
BitDefender 7.2 2009.02.26 Trojan.Generic.1436002
CAT-QuickHeal 10.00 2009.02.26 W32.Virut.G
ClamAV 0.94.1 2009.02.26 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 Win32.Virut.56
eSafe 7.0.17.0 2009.02.26 Suspicious File
eTrust-Vet 31.6.6375 2009.02.26 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.26 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.26 Trojan.Generic.1436002
Ikarus T3.1.1.45.0 2009.02.26 Trojan-Dropper.Win32.Cutwail
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.26 Virus.Win32.Virut.ce
McAfee 5537 2009.02.26 W32/Virut.n.gen
McAfee+Artemis 5537 2009.02.26 W32/Virut.n.gen
Microsoft 1.4306 2009.02.26 Virus:Win32/Virut.BM
NOD32 3893 2009.02.26 Win32/Virut.NBK
Norman 6.00.06 2009.02.26 W32/Virut.BV
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 W32/Sality.AO
PCTools 4.4.2.0 2009.02.26 -
Prevx1 V2 2009.02.26 -
Rising 21.18.32.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 Win32.Virut.Gen
Sophos 4.39.0 2009.02.26 W32/Scribble-A
Sunbelt 3.2.1858.2 2009.02.26 Win32.Virut.cf (v)
Symantec 10 2009.02.26 W32.Virut.CF
TheHacker 6.3.2.5.266 2009.02.26 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.02.26 PE_VIRUX.D
VBA32 3.12.10.1 2009.02.26 Virus.Win32.Virut.X5
ViRobot 2009.2.26.1625 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.26 -

Additional information
File size: 47616 bytes
MD5...: b67135569ee86090d5383977d662b76c
SHA1..: 196a3cdbe1b7b887b8b0a7db4be1d2cb71b58258
SHA256: 59b8d412919fbca38bf589ea1ccb6a0b33b06d4ed16c2b01efe6913edc5cfd39
SHA512: 8432ad0b5794825b24063dad36e1c19c5c6eaa4f37c2acc4b327f33263f368f5<br>b2551e634d1a00b7843bef24ad9ca6da12f88f2ef63861cf51b4852fd7a2447c
ssdeep: 768:AKhCfOs3rcCXtWoOAsD2Hff3QPQv/PfTSZ0F05JxYKn33P0PO7QdtnSfBTZJ<br>EEu:AKhWpICXtWo4yHnJv/JF0Px1PcO7QHS4<br>
PEiD..: -
TrID..: File type identification<br>Generic Win/DOS Executable (49.9%)<br>DOS Executable Generic (49.8%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x40cd25<br>timedatestamp.....: 0x4718b4de (Fri Oct 19 13:45:02 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 2 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x2fa 0x400 4.99 77bd4b9c91fca798b9ca65195e963465<br>.rsrc 0x2000 0xbe00 0xb200 7.93 fccf5cfc8027d28ae6c4322169381829<br><br>( 1 imports ) <br>&gt; KERNEL32.dll: GetThreadContext, GetTickCount<br><br>( 0 exports ) <br>

Shaba
2009-02-27, 07:21
That doesn't look good at all.

Let's run this next:

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Shaba
2009-03-04, 17:47
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.