Results 1 to 3 of 3

Thread: SMithfraud and Virtumonde Infection Help?

  1. #1
    Junior Member
    Join Date
    Oct 2008
    Location
    Oklahoma
    Posts
    1

    Default SMithfraud and Virtumonde Infection Help?

    Hello

    I think I got this virus from a torrent or something. Heres the logs to "Highjack This" and "Combo Fix." Any help would be much appreciated. Thanks!!!!!!

    Steven

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:06:26 PM, on 10/2/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.craigslist.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: ktguvw.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 3046 bytes














    ComboFix 08-10-02.04 - Owner 2008-10-02 16:53:14.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Owner\Cookies\owner@hb.pcworld[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt
    C:\WINDOWS\BMdff39af4.txt
    C:\WINDOWS\BMdff39af4.xml
    C:\WINDOWS\system32\btpnidii.dll
    C:\WINDOWS\system32\celvsk.dll
    C:\WINDOWS\system32\cqbwpyxf.dll
    C:\WINDOWS\system32\jkklkIXQ.dll
    C:\WINDOWS\system32\jqijvimc.dll
    C:\WINDOWS\system32\ktguvw.dll
    C:\WINDOWS\system32\rkdcom.dll
    C:\WINDOWS\system32\wmemlbvk.dll
    C:\WINDOWS\system32\ykrbgwnr.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
    .

    2008-10-02 12:18 . 2008-10-02 12:18 121 --ahs---- C:\WINDOWS\system32\iwrmwlro.ini
    2008-10-02 11:33 . 2008-10-02 13:49 881,264 --ahs---- C:\WINDOWS\system32\VybHRXbc.ini2
    2008-10-02 11:33 . 2008-10-02 13:49 881,264 --ahs---- C:\WINDOWS\system32\VybHRXbc.ini
    2008-10-02 04:44 . 2008-10-02 04:44 <DIR> d-------- C:\Program Files\Windows Defender
    2008-10-02 04:30 . 2008-10-02 04:31 961,675 --ahs---- C:\WINDOWS\system32\qafxcgqc.ini
    2008-09-29 15:12 . 2008-09-29 15:12 <DIR> d-------- C:\Program Files\Sony
    2008-09-29 14:17 . 2005-09-29 16:35 972,292 --ahs---- C:\WINDOWS\system32\hfaxvocx.ini
    2008-09-29 14:10 . 2008-10-02 05:02 893,080 --ahs---- C:\WINDOWS\system32\FffMUvut.ini2
    2008-09-29 14:10 . 2008-10-02 05:03 893,080 --ahs---- C:\WINDOWS\system32\FffMUvut.ini
    2008-09-28 14:00 . 2008-09-28 14:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
    2008-09-28 13:59 . 2008-09-28 13:59 <DIR> d-------- C:\Program Files\VideoLAN
    2008-09-19 18:49 . 2008-09-19 18:49 <DIR> d-------- C:\Program Files\Acoustica MP3 Audio Mixer
    2008-09-19 18:49 . 2004-02-12 14:44 352,256 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
    2008-09-19 10:47 . 2008-09-19 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
    2008-09-19 08:59 . 2008-09-19 08:59 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2008-09-19 08:57 . 2008-09-19 08:57 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2008-09-19 08:57 . 2008-09-19 08:58 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2008-09-19 02:30 . 2008-09-19 02:30 <DIR> d-------- C:\Program Files\Sony Setup
    2008-09-15 23:01 . 2008-09-15 23:01 <DIR> d-------- C:\MPS
    2008-09-11 10:48 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2008-09-11 10:48 . 2008-04-14 00:17 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
    2008-09-10 02:40 . 2008-09-10 02:40 <DIR> d-------- C:\Program Files\uTorrent
    2008-09-10 02:40 . 2003-10-01 10:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-09-08 18:32 . 2008-09-08 18:32 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-09-08 18:32 . 2008-09-20 03:00 1,374 --a------ C:\WINDOWS\imsins.BAK
    2008-09-04 05:54 . 2003-08-11 10:13 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
    2008-09-04 05:54 . 2003-08-11 10:07 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
    2008-09-03 19:09 . 2003-09-30 01:30 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-09-03 18:15 . 2008-04-14 00:10 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
    2008-09-03 18:15 . 2008-04-14 00:10 43,904 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-04 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-23 15:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
    2008-08-23 15:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
    2008-08-23 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-08-23 14:57 --------- d-----w C:\Program Files\Common Files\Ahead
    2008-08-23 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
    2008-08-23 14:56 --------- d-----w C:\Program Files\Nero
    2008-08-23 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2008-08-23 14:50 --------- d-----w C:\Program Files\CyberLink
    2008-08-22 23:47 --------- d-----w C:\Program Files\CCleaner
    2008-08-22 23:25 --------- d-----w C:\Program Files\microsoft frontpage
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "SoundMan"="SOUNDMAN.EXE" [2006-04-01 C:\WINDOWS\SOUNDMAN.EXE]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-29 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=ktguvw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"= ctwdm32.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=

    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0B549309-31C4-4F81-9EFB-5134EC9FCEEB} - C:\WINDOWS\system32\tuvUMffF.dll
    BHO-{20c9c8a1-3464-45fd-8e36-0b8c0eed4a94} - C:\WINDOWS\system32\ktguvw.dll
    BHO-{25F5A921-4B7F-4BF4-BA9A-C52E022F63F9} - C:\WINDOWS\system32\jkklkIXQ.dll
    BHO-{96D6C80D-0236-4EE5-BABE-1B605795C0C8} - C:\WINDOWS\system32\cbXRHbyV.dll
    HKLM-Run-BMdff39af4 - C:\WINDOWS\system32\cjdgwuhd.dll
    ShellExecuteHooks-{25F5A921-4B7F-4BF4-BA9A-C52E022F63F9} - C:\WINDOWS\system32\jkklkIXQ.dll


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://oklahomacity.craigslist.org/
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-02 16:57:25
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\DOCUME~1\Owner\LOCALS~1\Temp\RGI1.tmp

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\devldr32.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-02 16:58:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-02 21:58:54

    Pre-Run: 195,052,417,024 bytes free
    Post-Run: 195,058,286,592 bytes free

    138 --- E O F --- 2008-09-20 08:01:07

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    The junk can be tough to remove, so do not expect fast or easy.

    If you still need help, proceed like this.

    1) Read the directions, appears you have not done so yet.

    2) File Sharing, otherwise known as Peer To Peer. (P2P)
    http://forums.spybot.info/showthread.php?t=282

    3) Do NOT run 'FIXES' before helpers have analyzed the HJT log
    http://forums.spybot.info/showthread.php?t=16806

    4) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

    5) Once the above is complete, post a new HJT log and describe any problems you are having. If you receive error messages, post those word for word.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Due to the lack of feedback this Topic is closed.

    If you need this topic reopened, please request this by sending the moderating team
    a PM with the address of the thread. This applies only to the original topic starter.

    If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

    Everyone else please begin a New Topic.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •