Virtumonde [Marcopilon]

[Marcopilon]

Hello,

I've read the "Before you post" post.

HiJack log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:02, on 26/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [BM2f8c1e71] Rundll32.exe "C:\WINDOWS\system32\xmygywux.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = C:\Program Files\Styler\Styler.exe
O4 - Global Startup: Styler.lnk = C:\Program Files\Styler\Styler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs: mjlzgo.dll kncrim.dll nhymnl.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6878 bytes

Please notice that the Spybot function for scanning at restart doesnt work at all on my system.

Sometimes, Spybot scan prompts for windows restart. This leads sometimes to winlogon.exe crash (Memory error, memory cannont be written (0x0128520b).

NOD32 C:\WINDOWS scan log :

C:\WINDOWS\system32\config\default - error opening
C:\WINDOWS\system32\config\default.LOG - error opening
C:\WINDOWS\system32\config\SAM - error opening
C:\WINDOWS\system32\config\SAM.LOG - error opening
C:\WINDOWS\system32\config\SECURITY - error opening
C:\WINDOWS\system32\config\SECURITY.LOG - error opening
C:\WINDOWS\system32\config\software - error opening
C:\WINDOWS\system32\config\software.LOG - error opening
C:\WINDOWS\system32\config\system - error opening
C:\WINDOWS\system32\config\system.LOG - error opening
C:\WINDOWS\system32\config\systemprofile\GLB2065.tmp » WISE » WISE0132.DLL - archive damaged
C:\WINDOWS\system32\drivers\sptd.sys - error opening

Thanks for paying attention to my problem.

*M*.

 

[Marcopilon]

Kaspersky online scanner log file :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Tuesday, August 26, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Tuesday, August 26, 2008 20:40:50
 Records in database: 1148890
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - Folder:
	C:\WINDOWS\system32

Scan statistics:
	Files scanned: 4233
	Threat name: 2
	Infected objects: 7
	Suspicious objects: 0
	Duration of the scan: 00:01:32


File name / Threat name / Threats count
C:\WINDOWS\system32\kdnhkmdh.dll	Infected: not-a-virus:AdWare.Win32.SuperJuan.cva	1
C:\WINDOWS\system32\kncrim.dll	Infected: not-a-virus:AdWare.Win32.SuperJuan.cva	1
C:\WINDOWS\system32\mjlzgo.dll	Infected: not-a-virus:AdWare.Win32.SuperJuan.cva	1
C:\WINDOWS\system32\prludhfp.dll	Infected: not-a-virus:AdWare.Win32.Agent.eke	1
C:\WINDOWS\system32\rlyjikfm.dll	Infected: not-a-virus:AdWare.Win32.Agent.eke	1
C:\WINDOWS\system32\suindfhk.dll	Infected: not-a-virus:AdWare.Win32.SuperJuan.cva	1
C:\WINDOWS\system32\xyyhicer.dll	Infected: not-a-virus:AdWare.Win32.Agent.eke	1

The selected area was scanned.

Seems to be more crap than i thought :'(
Gonna try to get Kaspersky AV (at least demo).

 

[Marcopilon]

Free AV C:\Windows scan log file :

Avira AntiVir Personal
Report file date: mardi 26 août 2008  23:00

Scanning for 1575260 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 3)  [5.1.2600]
Boot mode:        Normally booted
Username:         Marc
Computer name:    WWW

Version information:
BUILD.DAT     : 8.1.00.295      16479 Bytes  09/04/2008 16:24:00
AVSCAN.EXE    : 8.1.2.12       311553 Bytes  18/03/2008 09:02:56
AVSCAN.DLL    : 8.1.1.0         53505 Bytes  07/02/2008 08:43:37
LUKE.DLL      : 8.1.2.9        151809 Bytes  28/02/2008 08:41:23
LUKERES.DLL   : 8.1.2.1         12033 Bytes  21/02/2008 08:28:40
ANTIVIR0.VDF  : 6.40.0.0     11030528 Bytes  18/07/2007 10:33:34
ANTIVIR1.VDF  : 7.0.5.1       8182784 Bytes  24/06/2008 20:53:33
ANTIVIR2.VDF  : 7.0.6.60      2802176 Bytes  24/08/2008 20:53:37
ANTIVIR3.VDF  : 7.0.6.74        91136 Bytes  26/08/2008 20:53:38
Engineversion : 8.1.1.23  
AEVDF.DLL     : 8.1.0.5        102772 Bytes  25/02/2008 09:58:21
AESCRIPT.DLL  : 8.1.0.68       315770 Bytes  26/08/2008 20:53:46
AESCN.DLL     : 8.1.0.23       119156 Bytes  26/08/2008 20:53:45
AERDL.DLL     : 8.1.0.20       418165 Bytes  26/08/2008 20:53:44
AEPACK.DLL    : 8.1.2.1        364917 Bytes  26/08/2008 20:53:44
AEOFFICE.DLL  : 8.1.0.22       192890 Bytes  26/08/2008 20:53:43
AEHEUR.DLL    : 8.1.0.50      1388918 Bytes  26/08/2008 20:53:43
AEHELP.DLL    : 8.1.0.15       115063 Bytes  26/08/2008 20:53:42
AEGEN.DLL     : 8.1.0.36       315764 Bytes  26/08/2008 20:53:41
AEEMU.DLL     : 8.1.0.7        430452 Bytes  26/08/2008 20:53:40
AECORE.DLL    : 8.1.1.8        172406 Bytes  26/08/2008 20:53:40
AEBB.DLL      : 8.1.0.1         53617 Bytes  26/08/2008 20:53:39
AVWINLL.DLL   : 1.0.0.7         14593 Bytes  23/01/2008 17:07:53
AVPREF.DLL    : 8.0.0.1         25857 Bytes  18/02/2008 10:37:50
AVREP.DLL     : 8.0.0.2         98344 Bytes  26/08/2008 20:53:39
AVREG.DLL     : 8.0.0.0         30977 Bytes  23/01/2008 17:07:49
AVARKT.DLL    : 1.0.0.23       307457 Bytes  12/02/2008 08:29:23
AVEVTLOG.DLL  : 8.0.0.11       114945 Bytes  28/02/2008 08:31:31
SQLITE3.DLL   : 3.3.17.1       339968 Bytes  22/01/2008 17:28:02
SMTPLIB.DLL   : 1.2.0.19        28929 Bytes  23/01/2008 17:08:39
NETNT.DLL     : 8.0.0.1          7937 Bytes  25/01/2008 12:05:10
RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes  10/03/2008 14:37:25
RCTEXT.DLL    : 8.0.32.0        86273 Bytes  06/03/2008 12:02:11

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Marc\LOCALS~1\Temp\bca76244.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: delete
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 60
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, 
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: mardi 26 août 2008  23:00

Starting the file scan:

Begin scan in 'C:\WINDOWS'
C:\WINDOWS\system32\achhdgaj.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '491c7052.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\cfxlekoo.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '492c705e.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\ddcCRHbb.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '49177064.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\hpiwvckh.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '491d7076.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\jeylbxaa.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '492d706f.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\kdnhkmdh.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '4922706f.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\kncrim.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '4917707a.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\krrsraee.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '4926707e.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\kutfqx.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '49287081.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\kvigjh.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '491d7083.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\lbbrakdo.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '49167070.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\mjlzgo.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '4920707b.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\nhymnl.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '492d7081.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\nmycetah.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '492d7086.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\prludhfp.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '49207094.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\rlyjikfm.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '492d7091.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\rqRLcYSI.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '49067096.qua'  ( QUARANTINE )
      [WARNING]   The file could not be deleted!
C:\WINDOWS\system32\suindfhk.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '491d709e.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\vubwuhlf.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '491670a2.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\vuvrwaxx.dll
      [DETECTION] Is the Trojan horse TR/Vundo.Gen
      [NOTE]      A backup was created as '492a70a2.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\xyyhicer.dll
      [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
      [NOTE]      A backup was created as '492d70ac.qua'  ( QUARANTINE )
      [NOTE]      The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
      [WARNING]   The file could not be opened!


End of the scan: mardi 26 août 2008  23:06
Used time: 05:48 min

The scan has been done completely.

   1330 Scanning directories
  50937 Files were scanned
     21 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
     14 files were deleted
      0 files were repaired
     21 files were moved to quarantine
      0 files were renamed
      1 Files cannot be scanned
  50916 Files not concerned
    536 Archives were scanned
      8 Warnings
     21 Notes

I'm currently praying ... And assume that the file are not moved to quarantine for real.