Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / Hijack & Vbg Results


  • This topic is locked This topic is locked
2 replies to this topic

#1 brobinh

brobinh

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 02 April 2008 - 06:55 AM

Been working on trying to eliminate Virtumonde. Hijack & VBG results below:

VBG
[04/02/2008, 7:39:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Family\Desktop\VirtumundoBeGone.exe" )
[04/02/2008, 7:39:10] - Detected System Information:
[04/02/2008, 7:39:10] - Windows Version: 5.1.2600, Service Pack 2
[04/02/2008, 7:39:10] - Current Username: Family (Admin)
[04/02/2008, 7:39:10] - Windows is in NORMAL mode.
[04/02/2008, 7:39:10] - Searching for Browser Helper Objects:
[04/02/2008, 7:39:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/02/2008, 7:39:10] - BHO 2: {0CE98548-FEE6-4707-87DE-88EFDAF81820} ()
[04/02/2008, 7:39:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:10] - Checking for HKLM\...\Winlogon\Notify\vtsts
[04/02/2008, 7:39:10] - Key not found: HKLM\...\Winlogon\Notify\vtsts, continuing.
[04/02/2008, 7:39:10] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/02/2008, 7:39:10] - BHO 4: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[04/02/2008, 7:39:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:10] - No filename found. Continuing.
[04/02/2008, 7:39:10] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/02/2008, 7:39:11] - BHO 6: {5CBED013-41A0-4F13-A471-BB15F3F7B225} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - Checking for HKLM\...\Winlogon\Notify\gebcd
[04/02/2008, 7:39:11] - Key not found: HKLM\...\Winlogon\Notify\gebcd, continuing.
[04/02/2008, 7:39:11] - BHO 7: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - No filename found. Continuing.
[04/02/2008, 7:39:11] - BHO 8: {70DDD837-AC17-4BB7-A599-8E8CA0DF57F7} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - Checking for HKLM\...\Winlogon\Notify\vtsqq
[04/02/2008, 7:39:11] - Key not found: HKLM\...\Winlogon\Notify\vtsqq, continuing.
[04/02/2008, 7:39:11] - BHO 9: {719E9B20-13B1-4054-B21D-2C69CA34C902} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - Checking for HKLM\...\Winlogon\Notify\ddayy
[04/02/2008, 7:39:11] - Key not found: HKLM\...\Winlogon\Notify\ddayy, continuing.
[04/02/2008, 7:39:11] - BHO 10: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - No filename found. Continuing.
[04/02/2008, 7:39:11] - BHO 11: {8DF89F5D-2D23-4BFD-890C-699B621A3305} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - Checking for HKLM\...\Winlogon\Notify\ddayx
[04/02/2008, 7:39:11] - Key not found: HKLM\...\Winlogon\Notify\ddayx, continuing.
[04/02/2008, 7:39:11] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[04/02/2008, 7:39:11] - BHO 13: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/02/2008, 7:39:11] - BHO 14: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[04/02/2008, 7:39:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/02/2008, 7:39:11] - No filename found. Continuing.
[04/02/2008, 7:39:11] - Finished Searching Browser Helper Objects
[04/02/2008, 7:39:11] - Finishing up...
[04/02/2008, 7:39:11] - Nothing found! Exiting...


HIJACK
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:56 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\E_S00RP1.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\BEDROOM\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\BEDROOM\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Shutter] C:\Program Files\Shutter\Shutter.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 7749 bytes

Edited by brobinh, 02 April 2008 - 09:26 AM.


BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:45 AM

Posted 10 April 2008 - 08:26 PM

Apologies for the delay in replying, but the forums have been overwhelmed with HIjackThis logs lately. If you still need help, please post back with a new HijackThis log, along with an update of the problems you are currently experiencing.
Posted Image

#3 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:08:45 AM

Posted 22 April 2008 - 07:32 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users