Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde ??


  • This topic is locked This topic is locked
1 reply to this topic

#1 Madsparrow

Madsparrow

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 17 January 2010 - 06:44 PM

Hi I'm posting this following instructions received from SifuMike in this post :-
http://www.bleepingcomputer.com/forums/t/286202/vitumonde-bulletproof/



DDS (Ver_09-12-01.01) - NTFSx86
Run by MaRk at 22:31:46.85 on 17/01/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.285 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MicroNEXT\MN-WD542T Wireless Utility\ZDWlan.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MaRk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - c:\program files\agi\common\agcutils.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: : {0bc2ab55-12fe-4336-8088-2fce83068c2d} - c:\windows\system32\atraces.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2663BCFC-7A27-4F15-A611-659CC95BEB4C} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5177364F-F2D3-499E-9F91-DE4C15381283} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6FFFDA11-559E-4533-B0A0-80886C8B1D4F} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {c839f003-ec27-4ca5-ae03-48b5a4fb2484} - c:\windows\system32\authzq.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CES_V4]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mn-wd5~1.lnk - c:\program files\micronext\mn-wd542t wireless utility\ZDWlan.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16}
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad lt 2000i\AcDcToday.ocx
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-9191e7016e841229.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE}
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\autocad lt 2000i\InstFred.ocx
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-4c76422c0422c8fd.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad lt 2000i\AcPreview.ocx
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: khfecdc - khfecdc.dll
Notify: xsxpopfn - atraces.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\njzchey5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metcheck.com/V40/UK/FREE/7days.asp?zipcode=L23|https://www.zurichcorporatepensions.co.uk/asp/zwlogin.asp|http://uk.finance.yahoo.com/q/bc?s=%5EFTSE&t=1d&l=on&z=m&q=l&c=|http://webfund6.financialexpress.net/clients/royallondon/perfChart.aspx?UnitCode=AQM&FundType=LF|http://www.timesonline.co.uk/tol/news/|http://stores.shop.ebay.co.uk/cybox-exhausts_Alfa-Romeo--Exhausts_W0QQLHQ5fSellerWithStoreZ1QQLHQ5fTitleDescZ1QQ_fsubZ2QQ_sasiZ1QQ_sidZ163064708QQ_trksidZp4634Q2ec0Q2em322
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 cqegybhz;cqegybhz;c:\windows\system32\drivers\cqegybhz.sys [2004-8-10 23424]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-17 11608]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-17 55656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-7 54752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912]
R3 ZD1211BU(MicroNEXT);MN-WD542T Wireless USB Adapter Driver(MicroNEXT);c:\windows\system32\drivers\ZD1211BU.sys [2005-10-28 500736]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2005-6-9 20608]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\capt930b.sys --> c:\windows\system32\drivers\Capt930b.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-7-5 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-7-5 85696]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2005-10-28 500736]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]

=============== Created Last 30 ================

2010-01-17 14:43:58 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-17 14:43:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-17 14:40:04 0 d-----w- c:\program files\AVIRA
2010-01-14 23:32:26 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-14 23:32:26 1409 ----a-w- c:\windows\QTFont.for
2010-01-13 23:39:36 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 23:56:29 0 d-----w- c:\program files\CES V4 Chameleon
2010-01-10 23:26:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 23:26:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 21:56:55 24576 ----a-w- c:\windows\system32\VundoFixSVC.exe
2010-01-10 21:31:45 0 d-----w- C:\VundoFix Backups
2010-01-10 17:35:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 00:17:46 0 d-----w- c:\program files\BlueSquare Poker
2010-01-03 21:31:08 0 d-----w- c:\program files\HP
2009-12-27 17:17:53 5869568 ----a-r- C:\EBUB5.DLL
2009-12-27 17:17:27 778240 ------w- C:\EBUB3.EXE
2009-12-21 00:04:19 3255 ----a-w- c:\windows\system32\wbem\Outlook_01ca81d12457fe98.mof
2009-12-19 16:43:25 29869659 ----a-w- c:\documents and settings\mark\191209-3.doc
2009-12-19 12:34:09 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2008-05-28 19:51:21 2671704 ----a-w- c:\program files\RegSupremePro_setup.exe
2007-02-27 23:02:53 316642 ----a-w- c:\program files\TRIPEAKS.zip
2007-02-17 16:47:10 251656 ----a-w- c:\program files\jre-1_5_0_11-windows-i586-p-iftw.exe
2007-01-06 23:28:20 4033792 ----a-w- c:\program files\channel4_on_demand.exe
2006-12-28 23:54:04 15001752 ----a-w- c:\program files\GoogleEarthWin.exe
1999-08-13 06:00:00 4820 ----a-w- c:\program files\CAMUNWISE.INI
2007-11-05 16:10:04 88 --sha-w- c:\windows\system32\005227F68E.sys
2007-11-05 16:10:58 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:33:10.07 ===============

Attached Files


Edited by Madsparrow, 17 January 2010 - 06:45 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:01 AM

Posted 17 January 2010 - 07:16 PM

I closing this thread, as you are being helped here http://www.bleepingcomputer.com/forums/ind...p;#entry1586920
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users