Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected (Virtumonde?)


  • This topic is locked This topic is locked
2 replies to this topic

#1 JoeyRoland

JoeyRoland

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 14 February 2009 - 11:57 PM

Hello,

I'm not sure why, but I suddenly got infected tonight. I wasn't on any weird sort of site or anything and next thing you know, Ad-Aware & WinPatrol are notifying me about changes to my IE helper. Spybot even prompted with a registry change. After finding the DLLs that were created about this time in the System32 folder, I've can't seem to get the DLLs to delete - even in Safe Mode with KillBot. After running "IttyBitty Process Manager", it looks like the DLLs are somehow tied to Winlogon and maybe more system services... :thumbup2:

Below are the screenshots I'm getting and my DDS log. Unfortunately, I can't get Ad-Aware to completely scan [in Safe Mode] so I'm sure if that really is that Virtumonde thing... :)

Posted Image

Posted Image

Posted Image

Any help with this would be GREATLY appreciated!

Thanks!

////////////////////////////////////////////////////////////////


DDS (Ver_09-02-01.01) - NTFSx86
Run by Joey Roland at 23:32:56.67 on Sat 02/14/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.475 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\WINPAT~1\winpatrol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\DOCUME~1\JOEYRO~1\LOCALS~1\Temp\{B07C006A-1D42-4BAF-9B90-BCF43AF84B41}\Blaero Start Orb.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Joey Roland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://my.yahoo.com/
mWinlogon: UIHost=vistaui.exe
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 8\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: {205b857d-82aa-4b7f-b657-fab0f4d2b74c} - c:\windows\system32\mlJArQkk.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyvSkkL.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 8\SnagItIEAddin.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [WinPatrol] c:\progra~1\winpat~1\winpatrol.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [Blaero Start Orb] c:\program files\blaero start orb\Blaero Start Orb.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save Flash - c:\program files\flash saving plugin\FlashSButton.dll/210
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {00000D27-0000-0000-0000-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228000598156
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
Notify: xxyvSkkL - xxyvSkkL.dll
AppInit_DLLs: wbsys.dll jqcjlr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\xxyvSkkL.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJArQkk

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joeyro~1\applic~1\mozilla\firefox\profiles\jmzgcxfp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.only2clicks.com/home.php
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-10-15 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-10-15 5248]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S3 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]

=============== Created Last 30 ================

2009-02-14 23:26 <DIR> --d----- c:\docume~1\joeyro~1\applic~1\Malwarebytes
2009-02-14 23:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-14 23:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 23:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-14 23:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-14 23:11 <DIR> --d----- c:\program files\Trend Micro
2009-02-14 22:12 <DIR> --d----- C:\!KillBox
2009-02-14 22:06 0 a------- c:\windows\TempFile
2009-02-14 20:29 2,126 a------- c:\windows\system32\wpa.dbl
2009-02-14 20:15 32,192 a--sh--- c:\windows\system32\kkQrAJlm.ini2
2009-02-14 20:15 32,192 a--sh--- c:\windows\system32\kkQrAJlm.ini
2009-02-14 20:15 302,592 -------- c:\windows\system32\mlJArQkk.dll
2009-02-14 20:10 36,352 -------- c:\windows\system32\xxyvSkkL.dll
2009-01-23 08:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-01-19 22:12 <DIR> --d----- c:\program files\DVDFab 5
2009-01-19 21:15 685,056 a------- c:\windows\system32\drivers\hardlock.sys
2009-01-19 21:15 <DIR> --d----- c:\program files\Custom Technology
2009-01-19 21:09 <DIR> --d----- c:\program files\DVD-RB PRO
2009-01-19 08:55 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-19 08:44 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-01-19 08:27 <DIR> --d----- c:\program files\MagicISO

==================== Find3M ====================

2009-01-08 18:58 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-08 18:57 107,832 a------- c:\windows\system32\PnkBstrB.exe
2008-12-29 08:47 43,698 a------- c:\windows\system32\xvid-uninstall.exe
2008-09-01 08:47 87,608 a------- c:\docume~1\joeyro~1\applic~1\inst.exe
2008-09-01 08:47 47,360 a------- c:\docume~1\joeyro~1\applic~1\pcouffin.sys
2007-09-20 19:42 22,328 a------- c:\docume~1\joeyro~1\applic~1\PnkBstrK.sys

============= FINISH: 23:33:47.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:11 PM

Posted 18 February 2009 - 07:21 PM

Hi JoeyRoland,

Sorry for the delay. We have many logs backed up.

If you still need help, then please post the last Malwarebytes log, so I can see what it found.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:11 PM

Posted 24 February 2009 - 02:47 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users