Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Virtumonde, Help Needed


  • This topic is locked This topic is locked
10 replies to this topic

#1 dheeraj chowdhary

dheeraj chowdhary

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 02 April 2008 - 09:00 AM

hi,
i'm attaching the hijackThis log along with the post, plz help me remove this.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 dheeraj chowdhary

dheeraj chowdhary
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 April 2008 - 10:18 AM

hey guys, help me .....

#3 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 AM

Posted 07 April 2008 - 07:59 PM

Sorry for the extended delay in getting to your log. The forums have just been swamped.
If you still need help do the following:

Download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Leave all the setting to the default except as noted below
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
    • File - Additional Folder Scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

Please post
  • MBAM log
  • OTScanIt log (attached)
in your reply here

#4 dheeraj chowdhary

dheeraj chowdhary
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 08 April 2008 - 10:09 AM

hey, thanks for replying buddy. i've done as you said and am posting the 2 logs along with this post. now, is my pc free of the malware? if not, what all is left to be done, plz guide me thorugh the process. thanks

Attached Files



#5 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 AM

Posted 08 April 2008 - 06:05 PM

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> xxyxVpPf -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {21693018-D6CA-41C9-8696-E270CB9CF83D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {2701C022-4AAD-45DD-9550-56969438E405} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxyabYQJ.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {351DB733-F39A-4514-BF4B-94CCA1EE0876} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxywVoOE.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {5034D066-01B4-4048-A182-FA7FCE8EA86B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {572FAEF2-BC6F-48DD-83F9-7750522E7348} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {74442A16-50D8-4B4D-940D-A3855CE91DBA} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\urqOgEvU.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {7BC81F29-E1B2-45D2-AFDD-C1145B402132} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {80FD33C5-A475-44B6-A3AD-3313C18E1913} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\qoMeCutt.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {DEDC32F0-752F-4D9A-92A2-84C0D877ACBD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {EBDEB6C2-DD84-4B7B-8F5E-838F7A310315} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\pmnKAtTK.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {EE448C70-54AF-4B5C-9C51-0A4E6AD4218C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\jkkICuTk.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> kTuCIkkj.ini -> %SystemRoot%\System32\kTuCIkkj.ini
NY -> kTuCIkkj.ini2 -> %SystemRoot%\System32\kTuCIkkj.ini2
NY -> JQYbayxx.ini -> %SystemRoot%\System32\JQYbayxx.ini
NY -> JQYbayxx.ini2 -> %SystemRoot%\System32\JQYbayxx.ini2
NY -> KTtAKnmp.ini -> %SystemRoot%\System32\KTtAKnmp.ini
NY -> KTtAKnmp.ini2 -> %SystemRoot%\System32\KTtAKnmp.ini2
NY -> ttuCeMoq.ini -> %SystemRoot%\System32\ttuCeMoq.ini
NY -> ttuCeMoq.ini2 -> %SystemRoot%\System32\ttuCeMoq.ini2
NY -> EOoVwyxx.ini -> %SystemRoot%\System32\EOoVwyxx.ini
NY -> EOoVwyxx.ini2 -> %SystemRoot%\System32\EOoVwyxx.ini2
NY -> qwuhwfrp.dll -> %SystemRoot%\System32\qwuhwfrp.dll
NY -> pskt.ini -> %SystemRoot%\pskt.ini
NY -> BM0f1b24e4.xml -> %SystemRoot%\BM0f1b24e4.xml
[Files/Folders - Modified Within 30 days]
NY -> kTuCIkkj.ini -> %SystemRoot%\System32\kTuCIkkj.ini
NY -> kTuCIkkj.ini2 -> %SystemRoot%\System32\kTuCIkkj.ini2
NY -> JQYbayxx.ini -> %SystemRoot%\System32\JQYbayxx.ini
NY -> JQYbayxx.ini2 -> %SystemRoot%\System32\JQYbayxx.ini2
NY -> KTtAKnmp.ini -> %SystemRoot%\System32\KTtAKnmp.ini
NY -> KTtAKnmp.ini2 -> %SystemRoot%\System32\KTtAKnmp.ini2
NY -> ttuCeMoq.ini -> %SystemRoot%\System32\ttuCeMoq.ini
NY -> ttuCeMoq.ini2 -> %SystemRoot%\System32\ttuCeMoq.ini2
NY -> EOoVwyxx.ini -> %SystemRoot%\System32\EOoVwyxx.ini
NY -> qwuhwfrp.dll -> %SystemRoot%\System32\qwuhwfrp.dll
NY -> pskt.ini -> %SystemRoot%\pskt.ini
NY -> BM0f1b24e4.xml -> %SystemRoot%\BM0f1b24e4.xml
NY -> temp0.exe -> C:\Documents and Settings\USER\Local Settings\Temp\temp0.exe
NY -> GLB1A2B.EXE -> C:\Documents and Settings\USER\Local Settings\Temp\GLB1A2B.EXE
NY -> 31 C:\Documents and Settings\USER\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\USER\Local Settings\Temp\*.tmp
NY -> Ungins.exe -> C:\Documents and Settings\USER\Local Settings\Temp\2RB5RDVP\Ungins.exe
NY -> 24OnlineClientUninstallation.exe -> C:\Documents and Settings\USER\Local Settings\Temp\2U94IABJ\24OnlineClientUninstallation.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\04082008_163441.log or what ever yours is named(Date/Time you ran the fix)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on the Start Scanning button at bottom of page.
  • Accept the License Agreement and the ActiveX install.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
Please post
  • OTscan it "results" log (described above)
  • F-Secure log
  • Fresh OtScanIt log made after F-secure
in your next reply here

#6 dheeraj chowdhary

dheeraj chowdhary
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 09 April 2008 - 12:17 PM

i've done as u said and am posting the three logs with this post

Attached Files



#7 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 AM

Posted 10 April 2008 - 08:04 AM

Looking clean as a whistle now. How's everything running?/
Couple minor issues to finish up.

Copy the text in the following box to Notepad and sace it to your desktop as "fix.reg". Make SURE to use the quotes when you save the file else it may not save run correctly

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


If save correctly the file will have an icon like this Posted Image
Right click on fix.reg and choose Merge....answer Yes to the "Are you sure you wish to..." message; you will then get a confirmation message

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u5.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.

Do the above and post a final HijackThis log along with a description of how your computer is running now.

#8 dheeraj chowdhary

dheeraj chowdhary
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 10 April 2008 - 12:58 PM

well yeah the computer is performaing much better now...the hijackthis log is posted here...
also i wanna know do i keep all the programs that i've downloaded, as in otscanit, spybot etc. ?

Attached Files



#9 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 AM

Posted 10 April 2008 - 07:02 PM

You should certianly keep Spybot and MBAM. Use them as part of weekly(ish) maintenance.
HJT you can keep or uninstall as you choose. It's very small and takes up virtualy no room.
Delete the fix.reg from your desktop.
  • Make sure you have an Internet Connection.
  • Double-click OTScanIt.exe to run it. (Vista users, please right click on OTScanIt.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtScanIt to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Next clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??

#10 dheeraj chowdhary

dheeraj chowdhary
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 11 April 2008 - 12:04 PM

thanks a lot buddy for ur invaluable help. i really appreciate it.
i've also downloaded the various preventive programs u told me to download.
keep up the good work mate...
cheers

#11 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 AM

Posted 11 April 2008 - 12:11 PM

Glad we were able to help. As this appears to be solved, the topic will be closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users