Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VirtuMonde and SuperJuan infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 zeroth01

zeroth01

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 04 February 2009 - 07:52 PM

Hello,

Nod32 has detected the presence of the Virtumonde trojan and the SuperJuan trojan. In an attempt clean my computer I have run the latest version VundoFix which did not find anything and Combofix which did find many things. Unfortunately I didn't follow any set of instructions when running combofix and subsequently didn't run combofix from the desktop.

I would like to know if my computer is still infected.

Please see my DDS log below and the attached Attach.txt. I have also attached the ComboFix log in case this is of any value.

Thankyou!


DDS (Ver_09-02-01.01) - NTFSx86
Run by admin at 10:40:58.95 on Thu 2009-02-05
Internet Explorer: 6.0.2600.0000
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.511.138 [GMT 11:00]


============== Running Processes ===============

D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\spoolsv.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\Apache Group\Apache\Apache.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\WINNT\System32\cisvc.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\Apache Group\Apache\Apache.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\WINNT\System32\llssrv.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\sfmsvc.exe
D:\WINNT\System32\sfmprint.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\system32\ntfrs.exe
D:\WINNT\System32\nvsvc32.exe
e:\PROGRA~1\POWERC~1\pcns.exe
d:\program files\jvm\bin\java.exe
D:\WINNT\system32\regsvc.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\WINNT\System32\locator.exe
D:\WINNT\System32\snmp.exe
E:\Squid\squid.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
E:\Program Files\QSC\Team Coherence\Server\Bin\TCService.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\Dfssvc.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\System32\ismserv.exe
D:\WINNT\system32\rdpclip.exe
D:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINNT\system32\internat.exe
E:\mssql7\Binn\sqlmangr.exe
E:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\System32\cidaemon.exe
D:\WINNT\explorer.exe
D:\WINNT\System32\cidaemon.exe
D:\WINNT\system32\notepad.exe
D:\WINNT\Profiles\Administrator.IAS_AU_PDC.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = proxy.cache.telstra.net:3128
uInternet Settings,ProxyOverride = 172.16.8.7; 172.16.6.1;172.16.8.10
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [internat.exe] internat.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [TCASUTIEXE] TCAUDIAG -off
mRun: [Acronis True Image Monitor] d:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] d:\program files\common files\acronis\schedule2\schedhlp.exe
mRun: [nod32kui] "d:\program files\eset\nod32kui.exe" /WAITSERVICE
dRunOnce: [^SetupICWDesktop] d:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: d:\winnt\profiles\admini~1.000\startm~1\programs\startup\taskma~1.lnk - d:\winnt\profiles\administrator.ias_au_pdc.000\windows\system32\taskmgr.exe
StartupFolder: d:\winnt\profiles\alluse~1\startm~1\programs\startup\servic~1.lnk - e:\mssql7\binn\sqlmangr.exe
StartupFolder: d:\winnt\profiles\alluse~1\startm~1\programs\startup\winzip~1.lnk - e:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: d:\winnt\system32\imon.dll
DPF: DirectAnimation Java Classes - file://d:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\winnt\java\classes\xmldso.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147068551856
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-win32.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38208.8100925926
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {A9AA9C1D-6BAF-4976-ADE0-3A0D22DDCE49} = 172.16.6.10
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
LSA: Notification Packages = FPNWCLNT RASSFM scecli

============= SERVICES / DRIVERS ===============

R0 DfsDriver;DfsDriver;d:\winnt\system32\drivers\dfs.sys [1999-12-7 74448]
R1 Dlc;DLC Protocol;d:\winnt\system32\drivers\DLC.SYS [1999-12-7 56112]
R1 nod32drv;nod32drv;d:\winnt\system32\drivers\nod32drv.sys [2007-10-5 15424]
R2 AchievaCC;Achieva coating control;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AchievaCCHMI;AchievaCC HMI;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AchievaMSST;Mill Setup Steel Tech;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AnnealingApps;Annealing Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AnnealingDatabase;Annealing Database;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AnnealingLibrary;Annealing Library;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 AppleTalk;AppleTalk Protocol;d:\winnt\system32\drivers\sfmatalk.sys [1999-12-7 148400]
R2 BHPSCW14;BHPSCW14 - Hot Mill Setup;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 BorlandPackages;Borland Packages;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CMCApps;CMC Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CMCLevel2;CMCLevel2;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CMCLevel2_2007;Coating Mass Control Level 2;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CoatingMassControl;Coating Mass Control;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 Common;Common;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CommonMillSetupApps;Common Mill Setup Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CommonMillSetupLibrary;Common Mill Setup Library;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 CSNCoatMassCtrlLevel2;CSN Coating Mass Control Level 2;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 DHCPServer;DHCP Server;d:\winnt\system32\tcpsvcs.exe [1999-12-7 25360]
R2 GlobalApps;Global Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 GlobalLibrary;Global Library;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 HotMillSetupApps;Hot Mill Setup Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 HotMillSetupLibrary;Hot Mill Setup Library;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IAS;Internet Authentication Service;d:\winnt\system32\svchost.exe -k netsvcs [1999-12-7 7952]
R2 IASDocumentation;IAS Documentation;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IOWorks;IOWorks Server;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IOWorksAKSCMC;Team Coherence Server;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IOWorksImsa;IOWorks IMSA;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IOWorksINKote;IOWorks INKote;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 IsmServ;Intersite Messaging;d:\winnt\system32\ismserv.exe [2006-5-9 25872]
R2 MacFile;File Server for Macintosh;d:\winnt\system32\SFMSVC.EXE [2006-5-9 68368]
R2 MacPrint;Print Server for Macintosh;d:\winnt\system32\sfmprint.exe [1999-12-7 85264]
R2 MillSetupDatabase;Mill Setup Database;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 NntpSvc;Network News Transport Protocol (NNTP);d:\winnt\system32\inetsrv\inetinfo.exe [2006-5-9 14608]
R2 NOD32krn;NOD32 Kernel Service;d:\program files\eset\nod32krn.exe [2007-10-5 552064]
R2 NtFrs;File Replication Service;d:\winnt\system32\ntfrs.exe [2006-5-9 745232]
R2 PowerChuteNetShut;PowerChute Network Shutdown;e:\progra~1\powerc~1\pcns.exe [2007-2-26 24576]
R2 RMAS;RMAS;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 SquidNT;SquidNT;e:\squid\squid.exe --ntservice:squidnt --> e:\squid\squid.exe --ntservice:SquidNT [?]
R2 TandemMillSetupApps;Tandem Mill Setup Apps;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 TandemMillSetupLibrary;Tandem Mill Setup Library;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
R2 tcaicchg;tcaicchg;d:\winnt\system32\TCAICCHG.SYS [2002-6-25 21233]
R2 TCAITDI;TCAITDI Protocol;d:\winnt\system32\drivers\TCAITDI.SYS [2002-6-25 47328]
R2 TermServLicensing;Terminal Services Licensing;d:\winnt\system32\lserver.exe [2006-5-9 330512]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;d:\winnt\system32\drivers\el90xbc5.sys [2002-6-19 61712]
R3 MacSrv;SFM Kernel Driver;d:\winnt\system32\drivers\sfmsrv.sys [1999-12-7 154160]
R3 spud;Special Purpose Utility Driver;d:\winnt\system32\drivers\spud.sys [2002-6-20 12336]
S1 Scsiscan;Scsiscan; [x]
S2 GlobalDatabase;Global Database;e:\program files\qsc\team coherence\server\bin\TCService.exe [2003-12-29 134144]
S2 Scsiprnt;Scsiprnt;d:\winnt\system32\drivers\SCSIPRNT.SYS [1999-9-27 11632]
S3 Kiwi Syslog Daemon;Kiwi Syslog Daemon;e:\program files\syslogd\Syslogd_Service.exe [2007-6-12 1372160]
S3 TDASYNC;TDASYNC;d:\winnt\system32\drivers\tdasync.sys [2002-6-19 12664]
S3 TDIPX;TDIPX;d:\winnt\system32\drivers\tdipx.sys [2002-6-19 20760]
S3 TDNETB;TDNETB;d:\winnt\system32\drivers\tdnetb.sys [2002-6-19 18392]
S3 TDSPX;TDSPX;d:\winnt\system32\drivers\tdspx.sys [2002-6-19 18264]
S4 Aha174x;Aha174x; [x]
S4 Always;Always; [x]
S4 Arrow;Arrow; [x]
S4 Busmouse;Busmouse; [x]
S4 cirrus;cirrus; [x]
S4 dce376nt;dce376nt; [x]
S4 Dell_DGX;Dell_DGX; [x]
S4 Delldsa;Delldsa; [x]
S4 DptScsi;DptScsi; [x]
S4 dtc329x;dtc329x; [x]
S4 et4000;et4000; [x]
S4 Fd7000ex;Fd7000ex; [x]
S4 Fd8xx;Fd8xx; [x]
S4 Jazzg300;Jazzg300; [x]
S4 Jazzg364;Jazzg364; [x]
S4 Jzvxl484;Jzvxl484; [x]
S4 mga;mga; [x]
S4 mga_mil;mga_mil; [x]
S4 mitsumi;mitsumi; [x]
S4 mkecr5xx;mkecr5xx; [x]
S4 Ncr53c9x;Ncr53c9x; [x]
S4 ncr77c22;ncr77c22; [x]
S4 Ncrc700;Ncrc700; [x]
S4 Oliscsi;Oliscsi; [x]
S4 psidisp;psidisp; [x]
S4 qv;qv; [x]
S4 s3;s3; [x]
S4 slcd32;slcd32; [x]
S4 Spock;Spock; [x]
S4 T128;T128; [x]
S4 T13B;T13B; [x]
S4 tmv1;tmv1; [x]
S4 Ultra124;Ultra124; [x]
S4 Ultra14f;Ultra14f; [x]
S4 Ultra24f;Ultra24f; [x]
S4 v7vram;v7vram; [x]
S4 Wd33c93;Wd33c93; [x]
S4 wd90c24a;wd90c24a; [x]
S4 wdvga;wdvga; [x]
S4 weitekp9;weitekp9; [x]
S4 Xga;Xga; [x]

=============== Created Last 30 ================

2009-02-05 10:41 16,384 a------t d:\winnt\system32\Perflib_Perfdata_c74.dat
2009-02-05 09:41 16,384 a------t d:\winnt\system32\Perflib_Perfdata_b88.dat
2009-02-05 09:19 161,792 a------- d:\winnt\SWREG.exe
2009-02-05 09:19 98,816 a------- d:\winnt\sed.exe
2009-02-05 09:06 <DIR> --d----- D:\VundoFix Backups
2009-01-29 14:25 1,480,606 ---sh--- d:\winnt\system32\asoyukes.ini
2009-01-12 11:03 1,300,839 ---sh--- d:\winnt\system32\ureyidir.ini
2009-01-11 23:02 1,300,839 ---sh--- d:\winnt\system32\edibodak.ini
2009-01-11 11:01 1,300,839 ---sh--- d:\winnt\system32\ujosozel.ini
2009-01-10 23:00 1,300,835 ---sh--- d:\winnt\system32\igivuhiw.ini
2009-01-10 10:53 1,293,232 ---sh--- d:\winnt\system32\irezerah.ini
2009-01-09 22:52 1,286,083 ---sh--- d:\winnt\system32\apidafed.ini
2009-01-09 10:52 1,286,078 ---sh--- d:\winnt\system32\ejatageb.ini
2009-01-08 22:51 1,282,275 ---sh--- d:\winnt\system32\abubegaw.ini
2009-01-08 10:50 1,280,295 ---sh--- d:\winnt\system32\uviruluh.ini
2009-01-07 21:43 1,280,295 ---sh--- d:\winnt\system32\enufofir.ini
2009-01-07 09:43 1,280,295 ---sh--- d:\winnt\system32\uhetohuv.ini
2009-01-06 21:55 3,841 ---sh--- d:\winnt\system32\fosutozi.exe

==================== Find3M ====================

2002-06-19 14:42 21,952 ----h--- d:\program files\folder.htt
2002-06-19 14:42 271 ----h--- d:\program files\desktop.ini
1999-12-07 13:00 32,528 a------- d:\winnt\inf\wbfirdma.sys
1601-01-01 11:12 13,312 a--sh--- d:\winnt\system32\dejonebi.dll
1601-01-01 11:12 31,744 a--sh--- d:\winnt\system32\geyaziwa.dll

============= FINISH: 10:41:16.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 zeroth01

zeroth01
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 10 February 2009 - 10:28 PM

Please ignore my previous post. I have discovered that the computer was still infected and have managed to remove the infection. No further help is needed!

Cheers!

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 11 February 2009 - 06:38 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users