Results 1 to 7 of 7

Thread: Virtumonde problems

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    3

    Default Virtumonde problems

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:24:46 PM, on 1/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {a2fa8115-c03a-48f0-8a98-ae8bd4016409} - C:\WINDOWS\system32\yadihoni.dll
    O2 - BHO: {b8c70e67-c953-bdca-78f4-ea6ae0170e2e} - {e2e0710e-a6ae-4f87-acdb-359c76e07c8b} - C:\WINDOWS\system32\iotyvd.dll
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s
    O4 - HKLM\..\Run: [a47491bb] rundll32.exe "C:\WINDOWS\system32\muvuzuda.dll",b
    O4 - HKLM\..\Run: [CPMa747a227] Rundll32.exe "C:\WINDOWS\system32\fezogevu.dll",a
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6970] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5012] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8153] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC736] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8502] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC9859] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5073] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2378] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8340] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3532] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB3358] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD5189] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKUS\S-1-5-20\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s (User 'NETWORK SERVICE')
    O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: c:\windows\system32\jutimono.dll C:\WINDOWS\system32\zumunope.dll c:\windows\system32\fezogevu.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

    --
    End of file - 7374 bytes

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello passean,

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at your own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


    Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


    Not to worry if some of these are not there..


    O2 - BHO: (no name) - {a2fa8115-c03a-48f0-8a98-ae8bd4016409} - C:\WINDOWS\system32\yadihoni.dll
    O2 - BHO: {b8c70e67-c953-bdca-78f4-ea6ae0170e2e} - {e2e0710e-a6ae-4f87-acdb-359c76e07c8b} - C:\WINDOWS\system32\iotyvd.dll

    O4 - HKLM\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s
    O4 - HKLM\..\Run: [a47491bb] rundll32.exe "C:\WINDOWS\system32\muvuzuda.dll",b
    O4 - HKLM\..\Run: [CPMa747a227] Rundll32.exe "C:\WINDOWS\system32\fezogevu.dll",a
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6970] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5012] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8153] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC736] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8502] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC9859] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5073] command /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2378] cmd /c del "C:\WINDOWS\system32\gavubaki.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8340] command /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD3532] cmd /c del "C:\WINDOWS\system32\mibewoja.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB3358] command /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD5189] cmd /c del "C:\WINDOWS\system32\yabikuse.dll_old"
    O4 - HKUS\S-1-5-20\..\Run: [heyadolenu] Rundll32.exe "C:\WINDOWS\system32\mibewoja.dll",s (User 'NETWORK SERVICE')

    O20 - AppInit_DLLs: c:\windows\system32\jutimono.dll C:\WINDOWS\system32\zumunope.dll c:\windows\system32\fezogevu.dll

    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll

    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fezogevu.dll






    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Jan 2009
    Posts
    3

    Default

    I will see what I can do. In the few days since I posted, that computer has not booted when I turned it on. I will try again in the morning and follow up with a response.

    Thanks
    Sean

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Sean,

    Try booting into Safemode, you can perform all my instructions in Safemode.

    To Enter Safemode
    • Go to Start> Shut off your Computer> Restart
    • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
      this will bring up a menu.
    • Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
    • Then press the Enter Key on your Keyboard

    Tutorial if you need it How to boot into Safemode
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Jan 2009
    Posts
    3

    Default

    thanks Ken, I will try, but as I said, it wont boot up AT ALL..no unix what-so-ever...so I'm not sure this will work.

    If not I am printing this post out and handing it off to a guy who has fixed my computer before. I trust him and he is familiar with my machine having helped me before with a hardware issue that I had. If he chooses to use the boards, I will have him just reply here.

    ~sean

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Sean,

    I will keep this thread open for about a week for you , if after that time this thread is closed, just start a new topic.

    Good luck,
    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Due to inactivity, this thread will now be closed.

    Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •