Virtumonde,Smitfraud-C, Trojware.Win32

[Shaba]

I'd like you to check a file for malware.

• Go to VirusTotal or Jotti's

C:\Program Files\321Studios\DVD X Rescue\DVDXRescue.EXE

• Copy/Paste the first file on the list into the white Upload a file box.
• Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Save the complete results in a Notepad/Word document on your desktop.
• Post back results here, please.

 

[zosobao]

from virustotal:

File DVDXRescue.EXE received on 12.21.2008 14:44:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/37 (24.33%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.3 2008.12.21 -
AntiVir 7.9.0.45 2008.12.19 -
Authentium 5.1.0.4 2008.12.21 -
Avast 4.8.1281.0 2008.12.20 Win32:Trojan-gen {Other}
AVG 8.0.0.199 2008.12.20 -
BitDefender 7.2 2008.12.21 -
CAT-QuickHeal 10.00 2008.12.20 I-Worm.Bacteraloh.w
ClamAV 0.94.1 2008.12.20 -
Comodo 783 2008.12.20 -
DrWeb 4.44.0.09170 2008.12.21 -
eSafe 7.0.17.0 2008.12.18 Suspicious File
eTrust-Vet 31.6.6271 2008.12.20 -
Ewido 4.0 2008.12.21 -
F-Prot 4.4.4.56 2008.12.21 -
F-Secure 8.0.14332.0 2008.12.21 P2P-Worm.Win32.Bacteraloh.w
Fortinet 3.117.0.0 2008.12.21 -
GData 19 2008.12.21 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2008.12.21 P2P-Worm.Win32.Bacteraloh
K7AntiVirus 7.10.560 2008.12.20 -
Kaspersky 7.0.0.125 2008.12.21 P2P-Worm.Win32.Bacteraloh.w
McAfee 5470 2008.12.20 -
McAfee+Artemis 5470 2008.12.20 -
Microsoft 1.4205 2008.12.21 -
NOD32 3709 2008.12.20 -
Norman 5.80.02 2008.12.19 -
Panda 9.0.0.4 2008.12.21 -
Prevx1 V2 2008.12.21 -
Rising 21.08.62.00 2008.12.21 -
SecureWeb-Gateway 6.7.6 2008.12.19 -
Sophos 4.37.0 2008.12.21 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.21 -
TheHacker 6.3.1.4.195 2008.12.20 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.21 P2P-Worm.Win32.Bacteraloh.w
ViRobot 2008.12.20.1528 2008.12.21 Worm.Win32.P2P-Bacteraloh.608768
VirusBuster 4.5.11.0 2008.12.20 -
Additional information
File size: 608768 bytes
MD5...: 3b96aa83d11cbd7a8d0f51a659349d46
SHA1..: f291506006004c25f7c574e45da14b6ba38c67b5
SHA256: 224aa1e836ee4c2e5758aa1748460fdbbcc7a880de6be3a705b76042660ed37e
SHA512: 162b591cf1f90298137c3d018421409fa3edc719fd4160f8a33c67958a7f8f1e
0ebea14e24ae8ce573aa01ea2a3d4da165056b40b9b8820f33ce341a8c1b27e7
ssdeep: 12288:jl2KGOdQ2b7r37IKxzaXBFFlsGj2TUM0BGzMtZZsgGLeu3TY5ktd:jlbdQ
qrrIKxz+FFlZj0UM0YIFsgGLei
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
Win32 EXE Yoda's Crypter (56.9%)
Win32 Executable Generic (18.2%)
Win32 Dynamic Link Library (generic) (16.2%)
Generic Win/DOS Executable (4.2%)
DOS Executable Generic (4.2%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4f3620
timedatestamp.....: 0x40159d72 (Mon Jan 26 23:06:26 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x60000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
XPROT 0x61000 0x93000 0x92800 7.84 bf2b2a4f1715b6d0db3bc2b022b0faa3
.rsrc 0xf4000 0x2000 0x1e00 3.38 8923d47994c8168d43720308d194b34c

( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> advapi32.dll: FreeSid
> cdrpdev.dll: __1DDBInfo@@QAE@XZ
> comctl32.dll: PropertySheet
> comdlg32.dll: GetSaveFileNameA
> gdi32.dll: LineTo
> jpegview.dll: JPEGViewFree
> ole32.dll: DoDragDrop
> shell32.dll: SHGetMalloc
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: PlaySound

( 0 exports )
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=3b96aa83d11cbd7a8d0f51a659349d46' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=3b96aa83d11cbd7a8d0f51a659349d46</a>
packers (F-Prot): UPX

 

[zosobao]

from jotti

Service load:
0% 100%
File: DVDXRescue.EXE
Status:
INFECTED/MALWARE
MD5: 3b96aa83d11cbd7a8d0f51a659349d46
Packers detected:
-
Scanner results
Scan taken on 21 Dec 2008 13:52:22 (GMT)
A-Squared
Found P2P-Worm.Win32.Bacteraloh!IK
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found W32.P2P.W.Bacteraloh.w
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found P2P-Worm.Win32.Bacteraloh.w
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found P2P-Worm.Win32.Bacteraloh.w
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found P2P-Worm.Win32.Bacteraloh.w

 

[Shaba]

Do you recognize this program?

C:\Program Files\321Studios\DVD X Rescue

 

[zosobao]

Yes...I've had it forever, but I rarely use it. Its for recovering scratched DVDs.

 

[Shaba]

Thank you for information.

Then we can assume that those are false positives.

Delete this:

C:\temp\uVN23L.exe

Empty Recycle Bin.

Still problems?

 

[zosobao]

I don't seem to have any issues.

Thank you for all your help.

Happy Holidays

 

[Shaba]

Great

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
  You can use one of these sites to check if any updates are needed for your pc.
  Secunia Software Inspector
  F-secure Health Check
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:

 

[Shaba]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.