Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Smitfraud, Others


  • This topic is locked This topic is locked
2 replies to this topic

#1 natasha123

natasha123

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 26 November 2007 - 01:26 PM

My "not so intelligent" daughter thought it too clever to get Winzip Evaluation running just proper. Anyway, something happened when using Limetime(?), and now this $^%& computer does not work. I removed that software she used as I was told that it is bad, but the computer is still non-functional. I have tried my best to get info that you experts asked for. Here is Kapersky log. My computer does not allow for HJT to install, as windows reports errors and does not allow it to run. I've run spybot over and over, both in normal and safe modes. Virtumonde and others seems to reapper. Can this be fixed with new software or other ways?

Scan Statistics:
Total number of scanned objects: 143462
Number of viruses found: 18
Number of infected objects: 3135
Number of suspicious objects: 2
Duration of the scan process: 02:27:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-25_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Chris\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Desktop\ASmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Chris\Desktop\ASmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Chris\Desktop\ASmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Chris\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\IZAZND1I\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\IZAZND1I\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF570E.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF7F6.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\NB1JLNKD\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Chris\My Documents\Limewire\WinZip.Professional.v11.1.7466.Incl.Keymaker-ZWT\WinZip.Professional.v11.1 Keygen.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\Documents and Settings\Chris\My Documents\Limewire\WinZip.Professional.v11.1.7466.Incl.Keymaker-ZWT\WinZip.Professional.v11.1.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\Documents and Settings\Chris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Canon\MultiPASS\repos\Db\mpdata.dat Object is locked skipped
C:\Program Files\Canon\MultiPASS\repos\Db\mpdata.idx Object is locked skipped
C:\Program Files\Common Files\rtepre.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Internet Explorer\metocojo4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Internet Explorer\metocojo83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0050NAV~.TMP Object is locked skipped
C:\pvsw\bin\mkde\log\LAST_SEG.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc70.rar/WinZip.Professional.v11.1.7466.Incl.Keymaker-ZWT/WinZip.Professional.v11.1 Keygen.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc70.rar/WinZip.Professional.v11.1.7466.Incl.Keymaker-ZWT/WinZip.Professional.v11.1.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc70.rar RAR: infected - 2 skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc71.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc72.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc73.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc73.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-746137067-839522115-1343024091-1000\Dc76.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINNT\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\SbCIe02a.dll Infected: not-a-virus:AdWare.Win32.SideStep.b skipped
C:\WINNT\Fonts\'\.45.2006.DVDRip.XViD-ESPiSE Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\.45.2006.DVDRip.XViD-ESPiSE Keygen.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\'\00jj99uuii66ddxxqqq.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\00jj99uuii66ddxxqqq.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\'\100% Blowjobs 17 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\100% Blowjobs 17 Patch.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\'\100% Foursomes Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\100% Foursomes Patch.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\'\101 Jukebox Classics Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\101 Jukebox Classics Keygen.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\'\18 Wheels of Steel Haulin Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
.
.(for this post, I deleted lots of lines generated - maybe hundreds of them)
.
.
C:\WINNT\Fonts\'\ZZ Top - Chrome, SmokeBBQ (Box Set) Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\'\ZZ Top - Chrome, SmokeBBQ (Box Set) Crack.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\a.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\a.zip ZIP: infected - 1 skipped
C:\WINNT\Fonts\Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\Fonts\svchost.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\abtxmyck.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\dhxclhsx.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINNT\system32\emvuhvvx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINNT\system32\g2\bemwdll3.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINNT\system32\i2\mper83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINNT\system32\i2\mper83122.exe NSIS: infected - 1 skipped
C:\WINNT\system32\jvrkeksj.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINNT\system32\Perflib_Perfdata_760.dat Object is locked skipped
C:\WINNT\system32\rMa05yy\rMa05yy1080.exe Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\WINNT\system32\ssqpqqq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\WINNT\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINNT\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINNT\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 03 December 2007 - 01:04 AM

Hello natasha,

I am SifuMike and I will be helping you. :thumbsup:

As a side note - I see your daughter is not afraid of visiting crack sites - using illegal software. :blink:
Because from the logs I can see that she actually installed some plug ins that appear on crack sites to get access to the cracks. They install the malware on your system.

If you visit crack sites, use cracks, you'll ALWAYS get infected.
This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.

She will have to change your surfing habits, because these malware bundles may contain a key logger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers.

And this all, because you visited some illegal sites.

Also, keep in mind, malware DAMAGES A LOT!

And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead....
Better to avoid this instead and have her change her surfing habits. Then this wouldn't have happened.

******************

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

******************


You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.

Edited by SifuMike, 03 December 2007 - 01:15 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:43 PM

Posted 09 December 2007 - 12:43 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users