Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde removal


  • This topic is locked This topic is locked
2 replies to this topic

#1 GSimp

GSimp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 30 March 2009 - 04:34 PM

I've dealt with this before, and my solution was using Norton Ghost to restore my hard drive to a back up, which worked, however I would like to not do that again to keep files : ). Well some website I went to must have had it again, so now I'm stuck with it. I have run ComboFix and the log is posted below as requested.

ComboFix 09-03-29.04 - msimpson 2009-03-30 17:22:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2243 [GMT -4:00]
Running from: c:\documents and settings\msimpson\Desktop\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\emMON.exe
c:\windows\system32\fohomugu.dll
c:\windows\system32\luyusowa.dll
c:\windows\system32\mofewobi.dll
c:\windows\system32\sekapehu.dll
c:\windows\system32\wogisewo.dll
c:\windows\system32\wuyeligo.dll
c:\windows\system32\zabinose.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 11:03 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-29 09:55 . 2009-03-29 09:55 153 --a------ c:\windows\wininit.ini
2009-03-29 09:46 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-29 09:45 . 2009-03-29 09:45 <DIR> d-------- c:\program files\Lavasoft
2009-03-29 09:45 . 2009-03-29 09:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-29 09:45 . 2009-03-29 09:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-19 21:06 . 2009-03-19 21:06 <DIR> d-------- c:\documents and settings\msimpson\Application Data\vlc
2009-03-19 21:05 . 2009-03-19 21:05 <DIR> d-------- c:\program files\VideoLAN
2009-03-16 19:17 . 2009-03-16 19:17 <DIR> d-------- c:\program files\MathType
2009-03-16 19:17 . 2009-03-16 19:17 <DIR> d-------- c:\documents and settings\msimpson\Application Data\Design Science
2009-03-05 18:43 . 2009-03-05 19:36 66,936 --ahs---- c:\windows\dlinfo_1.drv
2009-03-04 23:50 . 2009-03-05 00:44 66,936 --ahs---- c:\windows\dlinfo_0.drv
2009-03-04 23:45 . 2009-03-04 23:45 <DIR> d-------- c:\documents and settings\msimpson\WINDOWS
2009-03-04 23:43 . 2009-03-04 23:43 61,440 --a------ c:\windows\diabunin.exe
2009-03-04 21:56 . 2009-03-04 21:56 <DIR> d-------- c:\documents and settings\msimpson\Application Data\teamspeak2
2009-03-04 21:56 . 2009-03-04 21:56 34,064 --a------ c:\windows\system32\lhacm.acm
2009-03-04 21:55 . 2009-03-04 21:56 <DIR> d-------- c:\program files\Teamspeak2_RC2
2009-03-03 00:08 . 2009-03-03 00:08 <DIR> d-------- c:\program files\Riva
2009-03-03 00:08 . 2009-03-03 00:08 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-02-28 23:22 . 2009-03-03 21:29 23 --a------ c:\windows\BlendSettings.ini
2009-02-28 22:28 . 2009-02-28 22:28 66,936 --ahs---- c:\windows\slinfo_0.drv
2009-02-28 22:27 . 2009-03-04 23:50 <DIR> d-------- C:\Diablo
2009-02-28 22:27 . 2009-03-04 23:43 86,528 --a------ c:\windows\bnetunin.exe
2009-02-28 22:27 . 2009-02-28 22:27 61,440 --a------ c:\windows\diabswun.exe
2009-02-28 22:17 . 2009-03-18 22:30 <DIR> d-------- c:\program files\Bethesda Softworks
2009-02-27 09:12 . 2009-02-27 09:12 <DIR> d-------- c:\program files\Eufony Lite
2009-02-27 09:08 . 2009-02-27 09:09 <DIR> d-------- c:\program files\FLAC
2009-02-26 01:02 . 2009-03-18 22:00 <DIR> d-------- c:\program files\a-squared Anti-Malware
2009-02-23 21:36 . 2009-03-28 17:45 <DIR> d-------- C:\Fraps
2009-02-23 01:11 . 2007-07-19 19:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2009-02-23 01:11 . 2007-07-19 19:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2009-02-23 01:11 . 2007-07-20 01:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2009-02-23 00:59 . 2009-02-23 01:11 <DIR> d-------- c:\program files\The Witcher
2009-02-19 22:18 . 2009-02-19 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2009-02-19 22:10 . 2007-07-19 19:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2009-02-19 22:05 . 2009-02-19 22:05 <DIR> d-------- c:\program files\CCP
2009-02-19 21:15 . 2009-02-19 21:15 <DIR> d-------- c:\program files\Ventrilo
2009-02-19 21:15 . 2009-03-30 17:25 <DIR> d-------- c:\program files\Steam
2009-02-19 21:15 . 2009-02-19 21:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-19 21:15 . 2009-03-08 15:21 <DIR> d-------- c:\documents and settings\msimpson\Application Data\Ventrilo
2009-02-19 21:15 . 2009-02-19 21:15 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-02-19 21:14 . 2009-02-19 21:14 <DIR> d-------- c:\program files\Opera
2009-02-19 20:07 . 2005-10-27 16:06 356,096 --a------ c:\windows\system32\drivers\rt61.sys
2009-02-19 20:07 . 2005-05-17 17:24 311,296 --a------ c:\windows\system32\AegisI5.exe
2009-02-19 20:07 . 2005-10-20 16:00 243,328 --a------ c:\windows\system32\drivers\RT2500.SYS
2009-02-19 20:07 . 2005-07-15 19:11 81,920 --a------ c:\windows\system32\Install6x.dll
2009-02-19 20:07 . 2009-02-19 20:07 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2009-02-19 20:07 . 2005-10-26 15:22 8,192 --a------ c:\windows\system32\drivers\RT2661.bin
2009-02-19 20:07 . 2005-10-26 15:22 8,192 --a------ c:\windows\system32\drivers\RT2561s.bin
2009-02-19 20:07 . 2005-10-26 15:22 8,192 --a------ c:\windows\system32\drivers\RT2561.bin
2009-02-19 20:07 . 2005-06-16 01:30 162 --a------ c:\windows\filespec6x
2009-02-19 20:06 . 2009-02-19 20:06 <DIR> d-------- c:\program files\Hawking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 13:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 13:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 14:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 02:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 05:11 278,984 ----a-w c:\windows\system32\drivers\atksgt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-19 455968]
"EPSON Stylus Photo R380 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-05-29 139264]
"Steam"="c:\program files\Steam\Steam.exe" [2009-02-19 1410296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 2037352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-01-29 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2009-02-27 2799760]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"nwiz"="nwiz.exe" [2007-11-06 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Hawking Wireless Utility.lnk - c:\program files\Hawking\Common\RaUI.exe [2009-02-19 651264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Hawking\\Common\\RaUI.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-29 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-09-28 04:37:33 41456]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0522fc1-7bbf-11dd-9f08-806d6172696f}]
\Shell\AutoRun\command - d:\programs\nu2menu\nu2menu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f5fba4ab-7439-4b23-8394-16c2bd798d1a} - c:\windows\system32\mofewobi.dll
HKLM-Run-0075e356 - c:\windows\system32\pabipihe.dll
HKLM-Run-emMON - emMON.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kronosrobotics.com/xcart/home.php
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 17:25:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Anti-Malware\a2service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-30 17:27:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 21:27:56

Pre-Run: 97,827,094,528 bytes free
Post-Run: 98,060,640,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

196

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:33 PM

Posted 08 April 2009 - 02:53 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:33 PM

Posted 19 April 2009 - 06:13 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users