Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 MarcusAn4

MarcusAn4

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 14 December 2007 - 05:50 PM

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Marcus\LOCALS~1\Temp\clclean.0001
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\AOL\1193679999\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aolsearch.com/
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1193679999\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [a8dcfcee] rundll32.exe "C:\WINDOWS\system32\ckaesnqf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rnpfvvek.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe






=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] C:\WINDOWS\system32\geeba.dll


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"
"{937B1F7D-D382-4AAB-BD9A-27170D5AB889}"="C:\WINDOWS\system32\hgdcywu.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
Adobe PDF Reader Link Helper | [Indefinido]
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{2017E96E-4068-4312-B6CB-A07BDF74216E}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\geeba.dll


[HKLM\SOFTWARE\Classes\CLSID\{41034E84-EEF6-4E5E-BFEC-87080109C20D}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{42738eb2-0326-4b40-a4b4-dab9269efaad}\]
[Indefinido] | {daafe962-9bad-4b4a-04b4-62302be83724}
C:\WINDOWS\system32\lnrunoou.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
Spybot-S&D IE Protection | [Indefinido]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\]
Yahoo! IE Services Button | [Indefinido]
C:\Program Files\Yahoo!\Common\yiesrvc.dll


[HKLM\SOFTWARE\Classes\CLSID\{6BCD1595-BB1E-402C-9AC4-B983EA9BCED3}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\]
scriptproxy | scriptproxy
c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll


[HKLM\SOFTWARE\Classes\CLSID\{887CB9A5-F644-4671-B5AB-2E2D98F45078}\]
[Indefinido] | [Indefinido]
[Indefinido]


[HKLM\SOFTWARE\Classes\CLSID\{937B1F7D-D382-4AAB-BD9A-27170D5AB889}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\hgdcywu.dll


[HKLM\SOFTWARE\Classes\CLSID\{F7DEDB1A-DE61-48F5-9DBB-DEBAF9B18C96}\]
[Indefinido] | [Indefinido]
[Indefinido]



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Nova] hgdcywu : hgdcywu.dll

[Padrão] igfxcui : igfxdev.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 PM

Posted 15 December 2007 - 05:33 AM

hello MarcusAn4

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Can you please disable your Real-time when doing this or any fix on your system, to Disable Tea-Timer

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click Exit to exit Spybot Search & Destroy.

-----------------------

Please Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [a8dcfcee] rundll32.exe "C:\WINDOWS\system32\ckaesnqf.dll",b
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rnpfvvek.exe (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.

-----------------------

Now please download this latest version of VundoFix to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

Please Re-scan with HijackThis and post the new log and the C:\vundofix.txt

Thank you

#3 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 15 December 2007 - 08:24 AM

MarcusAn4, I am helping you here:

http://www.bleepingcomputer.com/forums/t/120805/virtumonde/

Please post all replies to that topic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users