Smitfraud C infection, perhaps Virtumonde also

**mrsarkar** · 2007-04-23, 19:29

Hello, first time I'm facing malware of this "terrible, constantly shifting" sort.
Quick summary of what happened to me since April 21, on a PC running XP SP1, Zonealarm Free Version and Firefox:

xpre.exe - detected early by Symantec AV, quarantined and deleted, never came back
virtumondo - detected by SpybotSnD, deleted, did not come back (but InternetExplorer kept trying to launch, even though my default browser is PortableFirefox (installed on my HDD)
smitfraud C - deleted twice by SpybotSnD in safe mode, keeps resurfacing; also for each suspicious BHO I delete, a new one pops up almost immediately.
jjkkll or similar filenames in my system32 folder - deleted some, but they keep coming back or changing names.
Infected PC is now offline.

When I ran hijackthis, the log file would not save.
Reinstalled hijackthis, using the "rename to scanner.exe" suggestion I read on this forum; then the log could be saved.
Before posting the logs, I wish to thank you in advance for willing to help me.

Housecall online Antivirus (only online scanner that was willing to work with Firefox): detected no abnormality, but warned me of several "vulnerability" in OutlookExpress (which I never use) and in XML Core Services.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:30 AM, on 4/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~2\vptray.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\scanner contains hjk ths\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uiowa.edu/homepage/index-text.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\ddcawuu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F4E0D341-4B97-4FB1-B1F1-B5E7DABC1DFE} - C:\WINDOWS\System32\jkhhg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_04) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O20 - Winlogon Notify: ddcawuu - C:\WINDOWS\SYSTEM32\ddcawuu.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\System32\jkhhg.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------
Following suspicious OR recently altered files are in system32 folder:
ghhkj.ini
vsconfig.xml
wpa.dbl
PerfStringBackup.ini
perfh009.dat
perfc009.dat
ghhkj.bak2
jkhhg.dll
ddcbabc.dll
ddcawuu.dll
--------
I also understand that you will ask me to upgrade my Java Runtime Environment. Please let me know at which stage I should uninstall the Java 1.4. Will I need to install the replacement v6 Java immediately to replace the older one, or can I install Java AFTER the infection is removed?
--------
I am using a USB flash drive to bring hijackthis files from the infected PC to this Win98 laptop. This laptop has only 192 MB RAM, and doesn't have a realtime antivirus. Am I at risk for infecting this laptop via the USB flash drive?

--------
Finally, I might be able to check my email/this thread only once a day, so please don't think I'm gone or ungrateful if I cannot reply fast enough.
Thank you for your kind help.

**pskelley** · 2007-04-25, 12:16

Welcome to the forum, I understand you may not be able to check the topic often, please be as timely as you can.

Java: http://forums.spybot.info/showpost.p...80&postcount=2
Understand the hackers are using out of date Java to infect folks and it may well be the reson you are infected. I have seen via many removals of this junk, that the fix works better with an updated Java program. I suggest you update to the newest version, uninstall all old version and keep it updated.
C:\Program Files\Java\j2re1.4.2_04\ <<< VERY outdated

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

(if all files are not removed, it is important you do the next step, after the file is added, Vundofix will remove it)

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

**mrsarkar** · 2007-04-25, 18:39

thank you, pskelley, for responding to my request for help.
I shall uninstall the old JRE and replace with JRE v6 before I proceed.
Is there a need to install Win XP SP2 (I currently have only SP1) before eradicating the malware?

I will keep you posted.

Thank you.

**pskelley** · 2007-04-25, 19:11

That is negative...do not install Service Pack 2 until you have a clean computer.

http://www.microsoft.com/windowsxp/s...hattoknow.mspx

Thanks

**mrsarkar** · 2007-04-25, 20:22

Originally Posted by pskelley

That is negative...do not install Service Pack 2 until you have a clean computer.

http://www.microsoft.com/windowsxp/s...hattoknow.mspx

Thanks

Thanks for that warning.
A problem, though: when I click on the Java RE v6 installer, it pops up a warning that my OS is not supported...and lists XP SP2 (but not SP1, which I have) among the supported systems.
So, perhaps I should just clean the malware with your help now, and handle the Java issue later.

Thanks.
Am now posting the logs, below...

**mrsarkar** · 2007-04-25, 20:25

I made a foolish mistake by not disabling SpybotSnD TeaTimer before running Vundofix. As a result, TeaTimer denied some changes that VundoFix should have been allowed to make. I realised this from the TeaTimer popups informing me that it had denied some changes. So, relevant part of SpybotSnD log is below.
Spybot SnD log (after removing outdated Java, and using Vundofix)
4/25/2007 12:08:37 PM Allowed value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
4/25/2007 12:17:02 PM Allowed value "{3F9D0C61-737D-44D1-BD80-91AF857061CC}" (new data: "") deleted in Browser Helper Object!
4/25/2007 12:17:03 PM Allowed value "ddcawuu" (new data: "") deleted in Winlogon Notifiers!
4/25/2007 12:18:07 PM Denied value "jkhhg" (new data: "") deleted in Winlogon Notifiers!
4/25/2007 12:19:23 PM Allowed value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!

---------------
VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Scan started at 12:29:48 PM 4/25/2007

Listing files found while scanning....

No infected files were found.
-----------------
My note: At 12:30 PM, all 5 malicious files initially found by vundofix have ended up in a C:\VundofixBackups folder.
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 12:58:48 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\scanner contains hjk ths\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uiowa.edu/homepage/index-text.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {7D51F608-F179-4A06-859B-6D6B38C7C022} - C:\WINDOWS\System32\jkhhg.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O20 - Winlogon Notify: ddcawuu - C:\WINDOWS\
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-----------

**pskelley** · 2007-04-25, 22:13

To my knowledge, I have never had to turn off TeaTimer to run Vundofix? We do, however, need to turn it off to run HJT, in fact at times we even have to uninstall Spybot because of it.

What is this item? I have never seen it in a HJT log before.
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER If you are not sure, scan that file here:
http://virusscan.jotti.org/

1) Follow the directions in this link to turn off TeaTimer until you are finished.
http://russelltexas.com/malware/teatimer.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - (no file)
O2 - BHO: (no name) - {7D51F608-F179-4A06-859B-6D6B38C7C022} - C:\WINDOWS\System32\jkhhg.dll (file missing)
(next two are Alexa related resource wasters, if you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O20 - Winlogon Notify: ddcawuu - C:\WINDOWS\
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log. How is the computer running now?

Thanks

**mrsarkar** · 2007-04-26, 07:12

Hi, pskelley.
Those 2 C-media entries refer to an audio speaker configuration utility that came in my desktop's system CD about 5 years ago. It's quite possible that C-media's audio is not that common: I've never used it since I usually get by with a pair of simple speakers, unlike the 5 speakers that the utility would support. The C-media configurator resides in my system tray (that's the one containing the clock, right?). I don't think it hogs much of system resources, and has an exit button if I ever need to disable it until my next reboot.

With SpybotSnD turned off, and Symantec's AutoProtect disabled, I did the HJT and ATFCleaner steps you'd instructed.
Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:37:06 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\scanner contains hjk ths\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uiowa.edu/homepage/index-text.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{66E87B80-8F50-43DE-ADCB-4D75AB4D2B1C}: NameServer = 167.142.225.5,167.142.225.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------
As for how the PC is running: I have not seen any further Internet Explorer launch attempts (but even during the infected stage, those had been infrequent, perhaps once in 30 minutes). I am no longer getting memory violation messages, or long shutdown times that I was (again, occasionally) getting during the infected stage.

I'm guessing the Vundo malware has been mostly contained (or imprisoned in the VundofixBackup folder). Have you noticed any traces of Smitfraud or any keylogger infection in these logs? SpyBotSnD had detected, and erased, Smitfraud twice.

Thank you.

**pskelley** · 2007-04-26, 12:40

Thanks for returning your information and the feedback, your HJT log looks fine. You can probably turn the C-Media it off in MSConfig:
http://www.netsquirrel.com/msconfig/
http://vlaurie.com/computers2/Articles/startup.htm

You understand the Service Pack you are running is no longer supported by Microsoft, see this:
http://www.microsoft.com/windows/sup...ofsupport.mspx and until you update to SP2 (free) you can not download the critical updates to keep your Operating System and Browser safe. My suggetion is that you do that now, while your computer is clean.

You may keep ATF-Cleaner if you wish but delete all other tools we used for the cleanup (backups will go with the Vundo tool). You may also rename HJT if you wish.

I see no evidence of any other infections, make sure your antivirus program is updated and running correctly (that malware may have compromised it, and you may wish to ask Symantec tech support if you need to do anything) then run complete system scan.
Spybot has a few false positives dealing with Smitfraud, you can see them at the top of the page here: http://forums.spybot.info/forumdisplay.php?f=4 and post any questions about Spybot in that forum.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Some good ideas to speed up your computer:
http://users.telenet.be/bluepatchy/m...wcomputer.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

**mrsarkar** · 2007-04-26, 22:31

Thanks, pskelley, for your help and tips.
I'll consider uninstalling and reinstalling Symantec, as a safety measure. I'll use ATF-cleaner to wipe away unnecessary files between reinstalls.

Some questions:
1) Would you recommend installing Java before or after SP2 update? I've gotten the Java 6 installer.

2) I'll install SP2 from the huge 200MB+ standalone updater I had gotten from the MS website long ago (I kept hearing horror stories of PCs misbehaving after SP2 updates due to s/w or hardware conflicts). What can I do to control that the update does not modify any settings that will then allow it to send information to Microsoft without my consent?

I'll post back in 2 weeks if I detect any unusual behaviour on my system (I don't use the internet that often, and I use firefox exclusively, so it'll take me some time to watch for unusual Internet Explorer activity).

Have a good day.

Thread: Smitfraud C infection, perhaps Virtumonde also

Thread Tools

Display

Smitfraud C infection, perhaps Virtumonde also

Vundofix and HijackThis logs after 1st round of cleaning

C-media explanation and new HJT log

Thank you for all your help

Posting Permissions