PDA

View Full Version : virtumonde.sdn - win32.FraudLoad.edt - maybe others


smhyde
2009-09-20, 09:15
Please help me. Think I'm infected with virtumonde.sdn, win32.fraudload.edt and maybe others. Something is even stopping me from visiting most antivirus web sites.

I uninstalled an OLD version of Symantec Antivirus and was going to install ESET NOD32, but something is stopping the install package from working. I currently have NO anti-virus software.

Computer will only boot in safe mode and sometimes a clean boot works. Regular boot hangs up.

The following HiJack This log was made while booted into Safe Mode with Netowrk Support, in case that matters...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:06:05, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\All Users\Application Data\15043124\15043124.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll

(file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} -

mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [pusidiweh] Rundll32.exe "c:\windows\system32\litilifu.dll",a
O4 - HKLM\..\Run: [15043124] C:\Documents and Settings\All Users\Application

Data\15043124\15043124.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8689] command.com /c del

"C:\WINDOWS\system32\mopifobi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC400] cmd.exe /c del

"C:\WINDOWS\system32\mopifobi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7965] command.com /c del

"C:\WINDOWS\system32\telemize.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4413] cmd.exe /c del

"C:\WINDOWS\system32\telemize.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA868] command.com /c del

"C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8466] cmd.exe /c del

"C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1385] command.com /c del

"C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1386] cmd.exe /c del

"C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6141] command.com /c del "C:\WINDOWS\svchost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3496] cmd.exe /c del "C:\WINDOWS\svchost.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9011] command.com /c del

"C:\WINDOWS\system32\mopifobi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2744] cmd.exe /c del

"C:\WINDOWS\system32\mopifobi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4742] command.com /c del

"C:\WINDOWS\system32\telemize.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2658] cmd.exe /c del

"C:\WINDOWS\system32\telemize.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4497] command.com /c del

"C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4630] cmd.exe /c del

"C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8609] command.com /c del

"C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4665] cmd.exe /c del

"C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job"
O4 - HKCU\..\RunOnce: [SpybotDeletingB512] command.com /c del "C:\WINDOWS\svchost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8038] cmd.exe /c del "C:\WINDOWS\svchost.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Kensington

Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Kensington Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\Kensington Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/20061023/qtinstall.info.apple.com/qtactivex/qtplugin.c

ab
O16 - DPF: {10D1242B-6EFF-465D-B2F6-27AB9B310929} (WrapFrontend Control) -

http://www.softwrap.com/wrapper800.cab
O16 - DPF: {11FAB11B-4792-4B59-85DF-23C6688B07B3} (XTSAC Control) -

https://xyz.dyndns.org/XTSAC.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) -

http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) -

http://pubgis.co.pinellas.fl.us/ActiveX/ver6.3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?11649

68720718
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) -

https://xyz.dyndns.org/MLWebCacheCleaner.cab
O16 - DPF: {7EBA6D58-EB2D-46F4-A363-10C4DF50B907} (SCORMAPIDLL.API) -

http://alp.bertrodgers.com/thealp/SCORMAPIDLL.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -

http://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) -

http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -

http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) -

https://xyz.dyndns.org/NGVPNTunnel.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) -

http://samsclubus.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control)

- http://www.realquest.com/mapviewer/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B500F06-F1D3-44BC-B8C8-49620494B1D4}: NameServer

= 65.32.5.111,65.32.5.112
O20 - AppInit_DLLs: telemize.dll c:\windows\system32\litilifu.dll
O21 - SSODL: popedebuw - {d4fd27aa-8f9b-45c4-ae51-bc6aa005bba1} -

c:\windows\system32\litilifu.dll
O22 - SharedTaskScheduler: jugezatag - {d4fd27aa-8f9b-45c4-ae51-bc6aa005bba1} -

c:\windows\system32\litilifu.dll

--
End of file - 10034 bytes
Shaba
2009-09-22, 13:14
Hi smhyde

Please post next HijackThis log taken in normal mode :)
smhyde
2009-09-22, 18:10
Hi smhyde

Please post next HijackThis log taken in normal mode :)

Computer would not even boot into normal mode or clean boot anymore. But I fixed it! Virus is gone.. Here's how... Copy important data off. FDISK. Reinstall Windows XP SP3. Install ESET NOD32. Copy important data back onto system. Let ESET catch anything fishy during the copy.

:)
Shaba
2009-09-22, 19:48
Please then post back a fresh HijackThis log and I will give you some tips for the future :)
smhyde
2009-09-22, 20:28
Please then post back a fresh HijackThis log and I will give you some tips for the future :)
Great! Thank you. I will do that on Friday. I am out of town right now with no access to that computer.
Shaba
2009-09-22, 21:46
Thanks for update :)
Shaba
2009-10-11, 16:03
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.