-
Virtumonde problems
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:46 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {a2fa8115-c03a-48f0-8a98-ae8bd4016409} - C:\WINDOWS\system32\yadihoni.dll
O2 - BHO: {b8c70e67-c953-bdca-78f4-ea6ae0170e2e} - {e2e0710e-a6ae-4f87-acdb-359c76e07c8b} - C:\WINDOWS\system32\iotyvd.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s
O4 - HKLM\..\Run: [a47491bb] rundll32.exe "C:\WINDOWS\system32\muvuzuda.dll",b
O4 - HKLM\..\Run: [CPMa747a227] Rundll32.exe "C:\WINDOWS\system32\fezogevu.dll",a
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6970] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5012] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8153] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC736] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8502] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9859] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [SpybotDeletingB5073] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2378] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8340] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3532] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3358] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5189] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\jutimono.dll C:\WINDOWS\system32\zumunope.dll c:\windows\system32\fezogevu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
--
End of file - 7374 bytes
-
Hello passean,
Welcome to Safer Networking.
Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
Not to worry if some of these are not there..
O2 - BHO: (no name) - {a2fa8115-c03a-48f0-8a98-ae8bd4016409} - C:\WINDOWS\system32\yadihoni.dll
O2 - BHO: {b8c70e67-c953-bdca-78f4-ea6ae0170e2e} - {e2e0710e-a6ae-4f87-acdb-359c76e07c8b} - C:\WINDOWS\system32\iotyvd.dll
O4 - HKLM\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s
O4 - HKLM\..\Run: [a47491bb] rundll32.exe "C:\WINDOWS\system32\muvuzuda.dll",b
O4 - HKLM\..\Run: [CPMa747a227] Rundll32.exe "C:\WINDOWS\system32\fezogevu.dll",a
O4 - HKLM\..\RunOnce: [SpybotDeletingA6970] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5012] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8153] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC736] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8502] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9859] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5073] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2378] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8340] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3532] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3358] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5189] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: c:\windows\system32\jutimono.dll C:\WINDOWS\system32\zumunope.dll c:\windows\system32\fezogevu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply along with a New Hijackthis log.
-
I will see what I can do. In the few days since I posted, that computer has not booted when I turned it on. I will try again in the morning and follow up with a response.
Thanks
Sean
-
Sean,
Try booting into Safemode, you can perform all my instructions in Safemode.
To Enter Safemode
- Go to Start> Shut off your Computer> Restart
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
-
thanks Ken, I will try, but as I said, it wont boot up AT ALL..no unix what-so-ever...so I'm not sure this will work.
If not I am printing this post out and handing it off to a guy who has fixed my computer before. I trust him and he is familiar with my machine having helped me before with a hardware issue that I had. If he chooses to use the boards, I will have him just reply here.
~sean
-
Hello Sean,
I will keep this thread open for about a week for you , if after that time this thread is closed, just start a new topic.
Good luck,
Ken
-
Due to inactivity, this thread will now be closed.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules