Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected?


  • This topic is locked This topic is locked
2 replies to this topic

#1 islandoftheship

islandoftheship

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 22 July 2009 - 10:08 PM

I think I have the Virtumonde virus, but I can't run my computer in anything but safe mode so my spybot/antivirus programs are disabled.

However, here is my log:


DDS (Ver_09-06-26.01) - NTFSx86 DSREPAIR
Run by Administrator at 23:06:11.60 on Wed 07/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101676&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
mWinlogon: Taskman=c:\recycler\s-1-5-21-0291685912-5875948537-382693809-0553\svchost.exe
uWindows: load=c:\aim\dtect16.exe
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: c:\windows\system32\ghaf8jkdfd.dll: {a36d2a01-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\ghaf8jkdfd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [svshost] c:\windows\tempie\svshost.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BackupClient.exe] c:\program files\student backup\BackupClient.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp325] c:\windows\tsnp325.exe
mRun: [snp325] c:\windows\vsnp325.exe
mRun: [cftmon] c:\windows\system32\bzwek.exe
mRun: [17537654] c:\documents and settings\all users\application data\17537654\17537654.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\ihaupd32.exe
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\zqosys32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: wxvault.dll ,c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL ywrjmx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\ghaf8jkdfd.dll: {a36d2a01-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\ghaf8jkdfd.dll
LSA: Authentication Packages = msv1_0 wvauth c:\windows\system32\geBuUlMf

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\73infzua.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\73infzua.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-22 22:27 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-22 22:27 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-22 22:27 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-22 22:27 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-22 22:27 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-22 22:27 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-22 22:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-22 22:27 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-07-22 10:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-07-16 23:41 56,680 a------- c:\windows\system32\rpcnet.dll
2009-07-16 22:24 18,944 a------- c:\windows\system32\geyekrxxylktcu.dll
2009-07-16 22:24 85 a------- c:\windows\system32\geyekrmbetydgn.dat
2009-07-16 22:24 42,496 a------- c:\windows\system32\geyekrsfseyakh.dll
2009-07-16 22:24 69,120 a------- c:\windows\system32\drivers\geyekrkibsiqis.sys
2009-07-16 22:09 2 a------- c:\windows\0101120101464849.dat
2009-07-16 22:09 2 a------- c:\windows\010112010146118114.dat
2009-07-16 22:08 138,752 a------- c:\windows\msa.exe
2009-07-16 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17537654
2009-07-16 22:07 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-16 22:07 15,000 a------- c:\windows\system32\ghaf8jkdfd.dll
2009-07-16 15:17 143,364 a------- c:\windows\system32\msxml71.dll
2009-07-04 20:15 <DIR> --d----- c:\program files\Norton Security Scan
2009-07-04 15:57 <DIR> --d----- C:\ProgramData
2009-07-04 15:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-04 15:54 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-29 17:34 <DIR> --d----- c:\windows\tempie
2009-06-29 17:34 <DIR> --d-h--- c:\windows\PIF
2009-06-29 17:34 <DIR> --d----- c:\program files\common files\snp325
2009-06-29 17:34 <DIR> --d----- c:\windows\CatRoot
2009-06-29 17:34 <DIR> --d----- c:\program files\Vimicro
2009-06-29 14:39 0 a------- c:\windows\system32\drivers\471f9d1.sys
2009-06-28 08:48 219 a------- c:\windows\system32\winset.ini
2009-06-25 14:26 20,480 a------- c:\windows\FixCamera.exe
2009-06-25 14:26 835,584 a------- c:\windows\vsnp325.exe
2009-06-25 14:26 270,336 a------- c:\windows\tsnp325.exe
2009-06-25 14:26 15,498 a------- c:\windows\snp325.ini
2009-06-25 14:26 13,023 a------- c:\windows\snp325.src
2009-06-25 14:26 10,384,896 a------- c:\windows\system32\drivers\snp325.sys
2009-06-25 14:26 147,456 a------- c:\windows\system32\rsnp325.dll
2009-06-25 14:26 57,344 a------- c:\windows\system32\vsnpx32.dll
2009-06-25 14:05 94,208 a------- c:\windows\amcap.exe
2009-06-25 14:05 53,248 a------- c:\windows\Vm_sti.exe
2009-06-25 14:05 307,200 a------- c:\windows\vidcap32.Exe
2009-06-25 14:05 225,357 a------- c:\windows\system32\VM31bPrp.Ax
2009-06-25 14:05 94,208 a------- c:\windows\VMCap.exe
2009-06-25 14:05 61,440 a------- c:\windows\system32\VM31bSTI.dll
2009-06-25 14:05 57,344 a------- c:\windows\StillCap.exe
2009-06-25 14:05 93,600 a------- c:\windows\system32\drivers\usbVM31b.sys
2009-06-25 13:44 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-24 12:02 56,680 -------- c:\windows\system32\rpcnet.dll_old
2009-06-24 10:28 <DIR> --d----- c:\windows\system32\lowsec

==================== Find3M ====================

2009-07-22 22:36 17,408 a------- c:\windows\system32\Rpcnetp.exe
2009-07-05 15:32 105,475 a------- c:\windows\system32\nvModes.dat
2009-06-25 13:47 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-06-09 03:22 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 17:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-09 20:45 24 ac------ c:\documents and settings\administrator\jagex_runescape_preferences.dat
2007-05-03 23:13 936,168 a------- c:\program files\common files\SaveAsPDF.exe

============= FINISH: 23:06:28.45 ===============

BC AdBot (Login to Remove)

 


m

#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 PM

Posted 01 August 2009 - 08:07 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:40 PM

Posted 05 August 2009 - 06:21 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users