Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help With Virtumonde!


  • This topic is locked This topic is locked
2 replies to this topic

#1 imcuneo

imcuneo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 28 February 2008 - 06:04 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:51, on 2008-02-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\ryan.CCC\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {376FCDC4-5857-0B8D-0716-2800B6CB8EC8} - C:\WINDOWS\system32\pufx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ccc.local
O17 - HKLM\Software\..\Telephony: DomainName = ccc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ccc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ccc.local
O20 - Winlogon Notify: txqoybip - txqoybip.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 2506 bytes
















I had some time...

ComboFix 08-02-25.3 - Ryan 2008-02-28 14:14:22.1 - NTFSx86
Running from: C:\Documents and Settings\ryan.CCC\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\SYSTEM32\apyfuixx.ini
C:\WINDOWS\system32\hpvxivra.dll
C:\WINDOWS\SYSTEM32\hrtkgxhd.ini
C:\WINDOWS\SYSTEM32\jbcrbmro.ini
C:\WINDOWS\SYSTEM32\jtqhnekq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\orutv.ini2
C:\WINDOWS\SYSTEM32\qqdhfivy.ini
C:\WINDOWS\system32\txqoybip.dllbox
C:\WINDOWS\system32\udywrwyq.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\wghnobbu.dll
C:\WINDOWS\system32\yvifhdqq.dll
U:\My Documents\RACLE~1

----- BITS: Possible infected sites -----

hxxp://ccc
.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 12:47 . 2008-02-28 12:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 12:47 . 2008-02-28 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 10:26 . 2008-02-28 10:28 927,550 --a------ C:\WINDOWS\SYSTEM32\SYSTEM32 - DLLs.rar
2008-02-28 00:14 . 2004-08-03 23:56 5,120 --a------ C:\WINDOWS\SYSTEM32\vlwregmg.dll
2008-02-27 23:54 . 2008-02-27 23:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 23:43 . 2008-02-27 23:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-27 23:43 . 2008-02-27 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-27 09:44 . 2008-02-27 09:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-27 09:44 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2008-02-27 09:44 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-02-27 09:44 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-02-27 09:44 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-02-27 09:44 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-02-27 09:44 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-02-27 09:44 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-02-27 09:44 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-02-27 09:44 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-02-25 10:16 . 2008-02-28 11:51 99,432 --a------ C:\WINDOWS\BM37a44bf7.xml
2008-02-25 10:16 . 2008-02-28 11:51 22 --a------ C:\WINDOWS\pskt.ini
2008-02-24 13:27 . 2008-02-24 13:27 <DIR> d-------- C:\Documents and Settings\ryan.CCC\Application Data\Lavasoft
2008-02-24 13:22 . 2008-02-24 13:22 164 --a------ C:\install.dat
2008-02-24 10:40 . 2008-02-27 10:12 <DIR> d--hs---- C:\WINDOWS\S2FyYW4
2008-02-22 00:29 . 2008-02-22 00:30 59 --a------ C:\Triple Defrag and Shutdown.bat
2008-02-21 23:44 . 2008-02-01 09:50 229,376 --a------ C:\JkDefrag.exe
2008-02-21 23:26 . 2008-02-21 23:26 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-21 23:25 . 2008-02-21 23:25 <DIR> d-------- C:\Program Files\QT Lite
2008-02-21 23:25 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-02-21 23:25 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-02-21 21:58 . 2008-02-21 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-21 21:33 . 2008-02-27 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-21 21:32 . 2008-02-21 23:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 21:30 . 2008-02-28 12:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-21 21:28 . 2008-02-27 21:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-21 21:28 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-02-21 20:55 . 2008-02-21 20:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\GroupPolicy
2008-02-21 20:54 . 2008-02-27 23:04 <DIR> d-------- C:\Program Files\Hitman Pro
2008-02-15 11:19 . 2008-02-22 12:57 <DIR> d-------- C:\Program Files\PokerStars
2008-02-11 16:32 . 2008-02-11 16:32 <DIR> d-------- C:\Documents and Settings\ryan.CCC\Application Data\Sierra

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 03:03 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-27 00:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 18:28 10 ----a-w C:\Program Files\.autoreg
2008-02-22 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-22 07:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-22 07:17 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-22 07:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-22 06:59 --------- d-----w C:\Program Files\Google
2008-02-22 05:28 --------- d-----w C:\Program Files\QuickTime
2008-02-09 02:49 --------- d--h--w C:\Documents and Settings\ryan.CCC\Application Data\Move Networks
2008-02-04 19:26 --------- d-----w C:\Documents and Settings\ryan.CCC\Application Data\U3
2008-02-03 20:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-01 22:02 --------- d-----w C:\Program Files\DivX
2007-12-30 01:58 --------- d-----w C:\Documents and Settings\ryan.CCC\Application Data\Media Player Classic
2007-12-30 01:58 --------- d-----w C:\Documents and Settings\ryan.CCC\Application Data\DivX
2005-08-09 01:16 1,980,725 -c--a-w C:\Program Files\ccf_win.zip
2005-06-28 18:47 10,135,688 -c--a-w C:\Program Files\MPSetupXP.exe
2005-05-08 05:09 73,032 -c--a-w C:\Documents and Settings\pastorsam\Application Data\GDIPFONTCACHEV1.DAT
2005-01-23 21:20 689 -c--a-w C:\Program Files\About 1677-89 BCF Assistant (32 bit).lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376FCDC4-5857-0B8D-0716-2800B6CB8EC8}]
C:\WINDOWS\system32\pufx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c2bc424-0f8a-47ba-8741-f1150a719830}]
C:\WINDOWS\system32\hpvxivra.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B19872F2-BD59-4E46-9D1F-B7F69446B99D}]
C:\WINDOWS\system32\vturo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\txqoybip]
txqoybip.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-1137\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-1140\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-1156\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-1164\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-1196\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1346150223-3523970184-4153121386-500\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{832471ad-715f-11dc-92d0-000d565b9540}]
\Shell\AutoRun\command - E:\StartPortableApps.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 14:33:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-28 14:41:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 22:41:25
.
2008-02-28 06:41:56 --- E O F ---

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:00 PM

Posted 29 February 2008 - 04:16 PM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:00 PM

Posted 09 March 2008 - 08:30 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users