Virtumonde Infection

**kalasnjikov** · 2009-03-22, 18:25

Hullo,

Here's my Logfile of HijackThis v1.99.0

Scan saved at 11:22:21 AM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
E:\DOCUMENTS\downloaded programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {95c93837-f0da-45b5-9b83-f69f0f2328ce} - C:\WINDOWS\system32\jefaduku.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [bibudohetu] Rundll32.exe "C:\WINDOWS\system32\yirumuno.dll",s
O4 - HKLM\..\Run: [d892822e] rundll32.exe "C:\WINDOWS\system32\mosasaso.dll",b
O4 - HKLM\..\Run: [CPMdba1b1b2] Rundll32.exe "c:\windows\system32\lutolazu.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\pogewaso.dll c:\windows\system32\lutolazu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lutolazu.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor - Unknown - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

Can't get that SSODL out with either Spybot (even run during reboot), HJT or Regedit. This thing appears to be all over the registry, from HKClasses_Root on down. The more I block it with Online Armor (free version) and try and dig it out, the more it mutates. Real nasty bugger. Any help would be greatly appreciated.

Thanks

**pskelley** · 2009-03-23, 13:45

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

You have posted a HJT log from a VERY OLD HJT program. HJT is also not located safely. If you will take the time to read and follow the directions, then post a new HJT log with the correct version properly placed, I will take the time to take another look.

http://forums.spybot.info/showthread.php?t=288 <<< directions

Thanks

**kalasnjikov** · 2009-03-25, 16:19

Well,

Thank you, pskelley. I definitely read the sticky before posting. Unfortunately, I was greatly pressed for time and had to attempt a fix on my own, with ComboFix.

Here's the new HJT log (still using the old version, for reasons that will made clear.)

Logfile of HijackThis v1.99.0
Scan saved at 11:11:51 AM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\DOCUMENTS\downloaded programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1237996736406
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor - Unknown - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

ComboFix seems to have worked fairly well, however now I have a bit of a problem. The virus created a block of sorts on my Administrator privileges, and I can't access certain web content or load certain programs now (hence the lack of an updated HJT.) Tried to create a new ADmin account, to no avail.

Perhaps you find this an interesting problem... any help would be great.

Cheers,

Brad

**pskelley** · 2009-03-25, 16:38

Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and do NOT run fixes until asked.

What the creator of the tool have to say:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Try this self-installer, it usually gets around the hackers junk:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com...HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

You can download it on another computer and use removable media to bring it to the infected computer, it is only 793 KB's

I will do my best to try to help, since you say you read the "Before you Post" stickey, must I assume you did not see the instructions to disable TeaTimer? If you still want help, post the log from the combofix run and a new HJT log after you disable TeaTimer.

**kalasnjikov** · 2009-03-25, 18:45

Hmm.

Well, now that I've downloaded to desktop and installed the new version of HJT I can't open the program. Same error message as before. I also cannot save a logfile from ComboFix as that too has been compromised.

Perhaps there is a way to fix whatever registry key has been added abyt virus to limit access?

**kalasnjikov** · 2009-03-25, 18:49

Sorry, that error message is as follows: "Windows cannot access the path, device, or file. You may not have the persmissions to access the item."

Hope that helps.

**pskelley** · 2009-03-25, 19:16

I had assumed since you said this:

I was greatly pressed for time and had to attempt a fix on my own, with ComboFix

.
That you had already run combofix and that was the results I was hoping to see. If that is not the case, delete combofix and download it again from here:

http://download.bleepingcomputer.com...HJTInstall.exe

Choose "Save this file now" and before you save it to the DESKTOP change the name of the file like this:

You must rename it before saving it, save it to your Desktop.

Then double click the file and follow the prompts to run it.

Thanks

Thread: Virtumonde Infection

Thread Tools

Display

Hybrid View

Virtumonde Infection

Posting Permissions