PDA

View Full Version : virtumonde.prx infection


gruntgrunt1
2010-09-16, 16:53
I have followed the directions as per 'before you post'. Spybot found virtumonde.prx and Win32.Muollo during scan. Machine is currently running Mcafee and spybot.

DDS.text below

DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin 1 at 14:22:57.39 on 16/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2452 [GMT 1:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Nuance\PDF Professional 6\PDFProFiltSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\Snappy Fax Version 4\sfpagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Nuance\PDF Professional 6\pdfpro6hook.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Snappy Fax Version 4\sf4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin 1\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uSearch Bar =
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=0070819
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 6\bin\PlusIEContextMenu.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100812102828.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 6\bin\ZeonIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Snappy Fax] c:\program files\snappy fax version 4\sf4.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [1&1 EasyLogin] c:\program files\1&1\1&1 easylogin\EasyLogin.exe
uRun: [<NO NAME>]

Please help as I cannot use this machine to run my business at present

Thanks:thanks:
Shaba
2010-09-19, 22:12
Hi gruntgrunt1

Please post next spybot log :)
gruntgrunt1
2010-09-20, 11:27
04/06/2009 11:46:28 Allowed (based on user decision) value "btbb_wcm_McciTrayApp" (new data: "") deleted in System Startup global entry!
04/06/2009 11:46:31 Allowed (based on user decision) value "btbb_McciTrayApp" (new data: "") deleted in System Startup global entry!
04/06/2009 11:46:52 Allowed (based on user decision) value "IHUbtbb" (new data: ""C:\Program Files\Common Files\Motive\InstallHelper.exe" /DIR="C:\Program Files\Common Files\Motive" /UninstallVendor=btbb /platform=Win32") added in System Startup global entry!
04/06/2009 11:49:48 Allowed (based on user decision) value "IHUbtbb" (new data: "") deleted in System Startup global entry!
05/06/2009 09:36:31 Allowed (based on user decision) value "Start Page" (new data: "http://www.bbc.co.uk/") changed in Browser page!
10/06/2009 08:37:12 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
10/06/2009 08:37:36 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") deleted in Browser Helper Object!
10/06/2009 08:37:49 Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") deleted in Browser Helper Object!
10/06/2009 08:37:49 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") deleted in ActiveX Distribution Unit!
10/06/2009 08:37:54 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
10/06/2009 08:37:57 Allowed (based on authenticode whitelist) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") added in Browser Helper Object!
10/06/2009 08:37:58 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") added in ActiveX Distribution Unit!
10/06/2009 08:38:06 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
10/06/2009 08:38:07 Allowed (based on authenticode whitelist) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Java\jre6\bin\jusched.exe"") added in System Startup global entry!
10/06/2009 08:38:10 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") added in Browser Helper Object!
13/06/2009 10:12:02 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") changed in System Startup global entry!
22/06/2009 10:19:34 Allowed (based on user decision) value "swg" (new data: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe") added in System Startup user entry!
22/06/2009 10:19:35 Allowed (based on user decision) value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") added in Browser Helper Object!
17/07/2009 09:24:52 Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
17/07/2009 09:25:41 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\QTTask.exe" -atboottime") added in System Startup global entry!
17/07/2009 09:26:41 Allowed (based on lassh blacklist) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
17/07/2009 09:27:29 Allowed (based on user decision) value "iTunesHelper" (new data: ""C:\Program Files\iTunes\iTunesHelper.exe"") added in System Startup global entry!
17/07/2009 09:38:10 Allowed (based on user decision) value "Snappy Fax Printer virtual printer agent" (new data: "") deleted in System Startup global entry!
17/07/2009 09:38:24 Allowed (based on user decision) value "Snappy Fax Printer virtual printer agent" (new data: ""C:\Program Files\Snappy Fax Version 4\sfpagent.exe"") added in System Startup global entry!
31/07/2009 12:31:51 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") changed in System Startup global entry!
04/08/2009 11:34:59 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe") added in System Startup user entry!
05/08/2009 09:10:15 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
05/08/2009 09:10:45 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") deleted in Browser Helper Object!
05/08/2009 09:10:58 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") deleted in ActiveX Distribution Unit!
05/08/2009 09:10:59 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
05/08/2009 09:11:00 Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") deleted in Browser Helper Object!
05/08/2009 09:11:04 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
05/08/2009 09:11:08 Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") added in Browser Helper Object!
05/08/2009 09:11:09 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") added in ActiveX Distribution Unit!
05/08/2009 09:11:12 Allowed (based on user decision) value "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" (new data: "") added in Browser Helper Object!
05/08/2009 09:11:16 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Java\jre6\bin\jusched.exe"") added in System Startup global entry!
05/08/2009 09:11:19 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") added in Browser Helper Object!
05/08/2009 09:11:19 Allowed (based on user decision) value "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" (new data: "") deleted in Browser Helper Object!
05/08/2009 17:44:11 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
15/08/2009 11:02:12 Allowed (based on user decision) value "DefaultPassword" (new data: "") deleted in Winlogon!
18/08/2009 08:13:48 Allowed (based on user decision) value "HPSoftwareUpdate" (new data: "C:\Program Files\HP\HP Software Update\HPWUCli.exe") added in System Startup user entry!
18/08/2009 08:14:30 Allowed (based on user decision) value "HPSoftwareUpdate" (new data: "") deleted in System Startup user entry!
11/09/2009 09:02:19 Allowed (based on lassh blacklist) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
11/09/2009 09:03:15 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\QTTask.exe" -atboottime") added in System Startup global entry!
11/09/2009 09:04:29 Allowed (based on lassh blacklist) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
11/09/2009 09:06:03 Allowed (based on user decision) value "iTunesHelper" (new data: ""C:\Program Files\iTunes\iTunesHelper.exe"") added in System Startup global entry!
23/09/2009 15:40:44 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") changed in System Startup global entry!
25/09/2009 09:20:08 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\QTTask.exe" -atboottime") changed in System Startup global entry!
25/09/2009 09:21:24 Allowed (based on user decision) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
25/09/2009 09:23:42 Allowed (based on user decision) value "iTunesHelper" (new data: ""C:\Program Files\iTunes\iTunesHelper.exe"") added in System Startup global entry!
08/10/2009 09:39:01 Allowed (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") changed in System Startup global entry!
14/10/2009 10:42:40 Allowed (based on user decision) value "Snappy Fax Printer virtual printer agent" (new data: "") deleted in System Startup global entry!
14/10/2009 10:42:54 Allowed (based on user decision) value "Snappy Fax Printer virtual printer agent" (new data: ""C:\Program Files\Snappy Fax Version 4\sfpagent.exe"") added in System Startup global entry!
14/10/2009 10:48:18 Allowed (based on lassh blacklist) value "updateMgr" (new data: ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1") added in System Startup user entry!
14/10/2009 10:48:36 Allowed (based on user decision) value "updateMgr" (new data: ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0") changed in System Startup user entry!
14/10/2009 10:48:36 Encountered and terminated Coulomb Ltd.Content Access Plugin in C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe!
14/10/2009 10:55:29 Allowed (based on lassh blacklist) value "updateMgr" (new data: ""C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_1_0 -reboot 1") changed in System Startup user entry!
14/10/2009 10:58:00 Allowed (based on lassh blacklist) value "updateMgr" (new data: "") deleted in System Startup user entry!
16/10/2009 03:03:21 Allowed (based on user decision) value "NetFxUpdate_v1.1.4322" (new data: ""C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID") added in System Startup global entry!
16/10/2009 03:03:26 Allowed (based on user decision) value "NetFxUpdate_v1.1.4322" (new data: "") deleted in System Startup global entry!
19/03/2010 09:53:03 Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
19/03/2010 09:53:03 Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
15/04/2010 10:30:54 Allowed (based on user decision) value "Security Central" (new data: "") deleted in System Startup global entry!
20/04/2010 13:33:33 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
20/04/2010 13:33:47 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") deleted in Browser Helper Object!
20/04/2010 13:33:48 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") deleted in ActiveX Distribution Unit!
20/04/2010 13:33:48 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
20/04/2010 13:33:48 Allowed (based on user decision) value "{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
20/04/2010 13:33:56 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"") added in System Startup global entry!
20/04/2010 13:33:56 Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") deleted in Browser Helper Object!
20/04/2010 13:33:56 Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") added in ActiveX Distribution Unit!
20/04/2010 13:33:56 Allowed (based on user decision) value "{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
20/04/2010 13:34:37 Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") added in Browser Helper Object!
20/04/2010 13:34:39 Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
20/04/2010 13:34:50 Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") added in Browser Helper Object!
20/04/2010 13:34:51 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Common Files\Java\Java Update\jusched.exe"") changed in System Startup global entry!
23/04/2010 13:57:55 Allowed (based on user decision) value "NokiaMServer" (new data: "C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup") changed in System Startup global entry!
23/04/2010 14:22:58 Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
23/04/2010 14:23:03 Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
16/09/2010 13:25:38 Allowed (based on user decision) value "LogMeIn Backup GUI" (new data: "") deleted in System Startup global entry!
17/09/2010 09:13:08 Allowed (based on user decision) value "Vzoqahifureqij" (new data: "") deleted in System Startup user entry!
20/09/2010 09:13:55 Allowed (based on user decision) value "{7DB2D5A0-7241-4E79-B68D-6309F01C5231}" (new data: "") deleted in Browser Helper Object!

The machine is definitely happier now but there still appears to be an infection of some description - win32.muollo - of which I can find no trace but spybot keeps finding it and deleting it on reboot.

Thanks for your help

Steve
gruntgrunt1
2010-09-20, 16:37
I now appear to have these 2 trogans listed from Macfee. Bad week last week statrs badly this week. Any ideas?

Thanks
Shaba
2010-09-21, 17:03
That is log from TeaTimer.

Please post scan results from Spybot scan :)