Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Virtumonde/smitfraud


  • This topic is locked This topic is locked
3 replies to this topic

#1 mapleleafs791

mapleleafs791

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 19 February 2009 - 12:15 PM

A couple days ago whenever i clicked a site i googled i would keep getting redirected to other unrelated/fake sites constantly. i tried using spybot and it couldnt permanently remove the problem. it said it found a bunch of registry entries and a dll or 2 of the following: Smitfraud, Vundo, Virtumonde (guessing its all the same thing). I'v had this before but i was able to remove it with combofix. it seems i got reinfected and nothing i can do will remove it. its making searching for sites a huge hassle and slowing everything down.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Chipo Mulaisho at 12:03:52.93 on Thu 02/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1287 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Chipo Mulaisho\Desktop\2 finger scroll\TwoFingerScroll.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\anotify.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrospect.exe
C:\Documents and Settings\Chipo Mulaisho\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - No File
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGvvtuV.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7a4de0c9-cc4f-4ded-8076-0364c74853b5} - c:\windows\system32\mlJCSkKB.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TwoFingerScroll] c:\documents and settings\chipo mulaisho\desktop\2 finger scroll\TwoFingerScroll.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.0\RetroExpress.exe /h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [e43519f6] rundll32.exe "c:\windows\system32\qcuartha.dll",b
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: hgGvvtuV - hgGvvtuV.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\hgGvvtuV.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJCSkKB

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chipom~1\applic~1\mozilla\firefox\profiles\t8frtxb3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://mail.google.com/mail/#inbox|http://umich.edu/|about:blank
FF - plugin: c:\documents and settings\chipo mulaisho\application data\mozilla\firefox\profiles\t8frtxb3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-2 24652]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 dzhwttjo;dzhwttjo;c:\windows\system32\drivers\uqsnfbjq.sys --> c:\windows\system32\drivers\uqsnfbjq.sys [?]
S0 fsgjtbst;fsgjtbst;c:\windows\system32\drivers\wfajxhwf.sys [2009-2-17 25088]
S0 gjvzstwn;gjvzstwn;c:\windows\system32\drivers\hmzphguv.sys []
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-19 64160]
S0 mnvfzkmd;mnvfzkmd;c:\windows\system32\drivers\iataqhqe.sys --> c:\windows\system32\drivers\iataqhqe.sys [?]
S0 neofujfi;neofujfi;c:\windows\system32\drivers\xnpetjpf.sys --> c:\windows\system32\drivers\xnpetjpf.sys [?]
S0 rakklxhl;rakklxhl;c:\windows\system32\drivers\bvyovnai.sys --> c:\windows\system32\drivers\bvyovnai.sys [?]
S0 uklsuvhh;uklsuvhh;c:\windows\system32\drivers\dlmlgpdr.sys --> c:\windows\system32\drivers\dlmlgpdr.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2009-02-19 11:48 <DIR> --d----- C:\ComboFix
2009-02-19 11:48 388,608 a------- c:\windows\system32\CF9405.exe
2009-02-19 11:41 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-19 11:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 11:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-18 20:27 124,416 a------- c:\windows\system32\jneymwkh.dll
2009-02-18 20:27 124,416 a------- c:\windows\system32\ecgkco.dll
2009-02-18 20:24 1,581,615 ---sh--- c:\windows\system32\ahtraucq.ini
2009-02-18 20:24 69,120 a------- c:\windows\system32\qcuartha.dll
2009-02-18 20:21 9,668 a--sh--- c:\windows\system32\BKkSCJlm.ini2
2009-02-18 20:21 9,668 a--sh--- c:\windows\system32\BKkSCJlm.ini
2009-02-18 17:53 388,608 a------- c:\windows\system32\CF28151.exe
2009-02-18 17:27 299,008 a------- c:\windows\system32\mlJCSkKB.dll
2009-02-18 15:12 299,008 a------- c:\windows\system32\ssqPjkIx.dll
2009-02-17 13:15 48,640 a------- c:\windows\system32\geBuUnli.dll
2009-02-17 13:12 3,564 a------- c:\windows\fsgjtbst
2009-02-17 13:12 25,088 a------- c:\windows\system32\drivers\wfajxhwf.sys
2009-02-17 13:12 299,008 a------- c:\windows\system32\rqRKATKC.dll
2009-02-17 13:07 47,616 a------- c:\windows\system32\hgGvvtuV.dll
2009-02-14 17:59 <DIR> --d----- c:\program files\Pocket Tanks Deluxe
2009-02-12 14:36 <DIR> --d----- c:\program files\VirtualDJ
2009-02-09 22:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RetroExp
2009-02-09 22:31 <DIR> --d----- c:\program files\Retrospect
2009-01-25 18:54 <DIR> --d----- c:\program files\Pocket Tanks

==================== Find3M ====================

2007-11-19 12:19 92,064 ac------ c:\documents and settings\chipo mulaisho\mqdmmdm.sys
2007-11-19 12:19 79,328 ac------ c:\documents and settings\chipo mulaisho\mqdmserd.sys
2007-11-19 12:19 66,656 ac------ c:\documents and settings\chipo mulaisho\mqdmbus.sys
2007-11-19 12:19 25,600 ac------ c:\documents and settings\chipo mulaisho\usbsermptxp.sys
2007-11-19 12:19 22,768 ac------ c:\documents and settings\chipo mulaisho\usbsermpt.sys
2007-11-19 12:19 9,232 ac------ c:\documents and settings\chipo mulaisho\mqdmmdfl.sys
2007-11-19 12:19 6,208 ac------ c:\documents and settings\chipo mulaisho\mqdmcmnt.sys
2007-11-19 12:19 5,936 ac------ c:\documents and settings\chipo mulaisho\mqdmwhnt.sys
2007-11-19 12:19 4,048 ac------ c:\documents and settings\chipo mulaisho\mqdmcr.sys

============= FINISH: 12:04:47.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 23 February 2009 - 09:00 PM

Hello.

We will start off with Combofix.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-New Hijackthis log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 26 February 2009 - 04:38 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 PM

Posted 28 February 2009 - 07:56 AM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users