Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde and other malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 idoruninja

idoruninja

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 04 April 2010 - 11:23 PM

Hi and thanks in advance I have a self replicating malware and trojan oriented infection that spybot cannot remove.
I use Zonealarm and it has stopped most of the created .exe files here are some example entries from my zonealarm logs.

PE,2010/04/04,16:58:16 -7:00 GMT,mdm.exe,C:\Documents and Settings\Dirt\Local Settings\Temp\mdm.exe,85.17.239.20:80,N/A
ACCESS,2010/04/04,16:58:18 -7:00 GMT,mdm.exe was blocked from connecting to the Internet (85.17.239.20:HTTP).,N/A,N/A

from my spybot logs here are some examples of what it finds.

Smitfraud-C.: [SBI $86302BFF] Executable (File, fixed)
C:\Documents and Settings\Dirt\Local Settings\Temp\taskmgr.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Smitfraud-C.: [SBI $A97C4E9A] Executable (File, fixed)
C:\Documents and Settings\Dirt\Local Settings\Temp\services.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-861567501-179605362-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

It disables regedit, folder options and system restore.

in spybot it mainly pulls up virtumonde but when I remove and fix with spybot and hijackthis it just replicates again.

I attempted 3 times to run a GMER scan but it hung every time.

Here is my DDS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Dirt at 19:24:49.90 on Sun 04/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2757 [GMT -7:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Dirt\Local Settings\Temp\notepad.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\DOCUME~1\Dirt\LOCALS~1\Temp\iexplarer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Dirt\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\Dirt\LOCALS~1\Temp\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Dirt\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: c:\windows\system32\g8basl.dll: {a9ba40a1-74f1-52bd-f431-00b15a2c8953} - c:\windows\system32\g8basl.dll
BHO: {f677a51c-1e90-4082-8e2d-eddaab80f81b} - kuhirelu.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\dirt\locals~1\temp\taskmgr.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WhenUSave] c:\program files\save\Save.exe
mRun: [baderigezi] Rundll32.exe "lerobido.dll",s
StartupFolder: c:\docume~1\dirt\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: lewiyidi.dll
STS: c:\windows\system32\g8basl.dll: {a9ba40a1-74f1-52bd-f431-00b15a2c8953} - c:\windows\system32\g8basl.dll
LSA: Notification Packages = scecli lewiyidi.dll lerobido.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dirt\applic~1\mozilla\firefox\profiles\p2w72k66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?FORM=Z9FD1
FF - plugin: c:\documents and settings\dirt\application data\mozilla\firefox\profiles\p2w72k66.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-26 64288]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-26 486280]
R2 seagate;seagate;c:\windows\system32\seagate.sys [2001-8-23 2304]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 Ias;Windows Protected Access;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S3 ATICDSDr;ATICDSDr;\??\e:\drivers\chipset\driver\x86_x64\bin\atiicdxx.sys --> e:\drivers\chipset\driver\x86_x64\bin\atiicdxx.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-21 14424]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-04-04 22:16:38 0 d-----w- c:\program files\Trend Micro
2010-04-04 09:24:06 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-04 09:01:52 0 d-----w- c:\program files\AMD
2010-04-04 09:01:34 22424 ----a-w- c:\windows\Ascd_log.ini
2010-04-04 09:01:07 0 d-----r- c:\windows\AsDmiHtm
2010-04-04 08:58:35 128000 ----a-r- c:\windows\system32\drivers\AtiHdAud.sys
2010-04-04 06:25:17 3 ----a-w- c:\windows\system32\fhpatch.dll
2010-04-04 06:25:17 0 ----a-w- c:\windows\system32\fiplock.dll
2010-04-04 06:24:52 573440 ----a-w- c:\windows\system32\IPHACTION.dll
2010-04-04 04:19:20 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-04 03:53:55 20000 ----a-w- c:\windows\system32\g8basl.dll
2010-04-04 03:52:26 20000 ----a-w- c:\windows\system32\nnva0.dll
2010-04-04 03:51:34 20000 ----a-w- c:\windows\system32\rtbejofdtd.dll
2010-04-04 03:51:22 6 ----a-w- c:\windows\system32\iphy.dll
2010-04-04 03:51:21 8192 ----a-w- c:\windows\system32\htmp.030
2010-04-04 03:50:56 4608 ----a-w- c:\windows\system32\srsvc.dll
2010-04-04 03:50:56 4608 ----a-w- c:\windows\system32\C2H3
2010-04-04 03:50:39 20000 ----a-w- c:\windows\system32\ivne94y.dll
2010-04-04 03:50:37 20000 ----a-w- c:\windows\system32\dy1f0z.dll
2010-04-04 03:47:30 0 d-----w- c:\docume~1\dirt\applic~1\Poser Pro
2010-04-04 03:42:06 0 d-----w- c:\docume~1\dirt\applic~1\Queue Manager
2010-03-30 04:32:39 5 ----a-w- c:\windows\treeskp.sys
2010-03-28 21:29:52 0 d-----w- c:\program files\Atari
2010-03-28 21:10:26 0 ----a-w- c:\windows\PowerReg.dat
2010-03-19 02:53:39 0 d-----w- c:\program files\3D Universe
2010-03-19 02:42:34 0 d-----w- C:\Tutorials
2010-03-19 02:42:34 0 d-----w- C:\ReadMe's
2010-03-19 02:09:15 0 d-----w- c:\docume~1\alluse~1\applic~1\OptiTex
2010-03-19 02:06:50 0 d-----w- c:\docume~1\dirt\applic~1\DAZ 3D
2010-03-19 02:06:31 0 d-----w- c:\program files\DAZ 3D
2010-03-18 10:16:58 0 d-----w- c:\program files\DAZ
2010-03-18 10:02:21 0 d-----w- c:\program files\Curious Labs
2010-03-18 10:02:21 0 d-----w- c:\program files\common files\DAZ
2010-03-18 07:21:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Poser
2010-03-18 07:20:02 0 d-----w- c:\docume~1\dirt\applic~1\Poser
2010-03-17 04:55:23 286720 ------w- c:\windows\Setup1.exe
2010-03-17 04:55:22 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-03-17 04:52:31 4 ----a-w- c:\windows\system32\XMCACTSLCI1
2010-03-17 04:52:31 4 ----a-w- c:\windows\SAXGATXNMY1
2010-03-17 04:52:31 11 ----a-w- c:\windows\MTWDAS1.INI
2010-03-17 04:52:27 609824 ----a-w- c:\windows\system32\comctl32.ocx
2010-03-17 04:52:27 212240 ----a-w- c:\windows\system32\Richtx32.ocx
2010-03-17 04:52:27 132880 ----a-w- c:\windows\system32\MSINET.OCX
2010-03-17 04:52:27 119808 ----a-w- c:\windows\system32\msstdfmt.dll
2010-03-17 04:52:27 0 d-----w- c:\program files\Magic ASCII Studio
2010-03-17 04:45:11 0 d-----w- c:\program files\ASCII Art Generator
2010-03-14 10:00:27 1128 ----a-w- c:\windows\wininit.ini
2010-03-14 05:36:56 0 d-----w- c:\program files\Convert MP4 to MP3
2010-03-08 00:15:14 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-03-30 04:32:32 152904 ----a-w- c:\windows\system32\vghd.scr
2010-02-17 06:56:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-27 06:00:50 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-27 04:16:28 258352 ----a-w- c:\windows\system32\unicows.dll
2010-01-27 03:09:10 8464 ----a-w- c:\windows\system32\sporder.dll
2010-01-27 01:26:49 315392 ----a-w- c:\windows\HideWin.exe
2010-01-27 01:17:43 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-04 18:31:30 66560 --sha-w- c:\windows\system32\gobijadi.dll
2010-01-04 03:56:04 48640 --sha-w- c:\windows\system32\hozegupo.dll
2010-01-04 03:49:43 65536 --sha-w- c:\windows\system32\leramada.dll
2010-01-04 03:49:43 65536 --sha-w- c:\windows\system32\liwomajo.dll
2010-01-04 03:50:39 65536 --sha-w- c:\windows\system32\pefuwiwi.dll
2010-01-04 03:56:03 139776 --sha-w- c:\windows\system32\tobajuho.exe
2010-01-04 18:31:30 42496 --sha-w- c:\windows\system32\yaruzesa.dll

============= FINISH: 19:26:18.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 idoruninja

idoruninja
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 05 April 2010 - 12:33 AM

Disregard I found a tutorial on this site that showed the trick of the alternate named .exe for Malwarbytes, was able to then run malwarebytes and kill all the problems. Thanks sorry to waste your time.

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:56 PM

Posted 08 April 2010 - 12:04 PM

Thanks for letting us know thumbup2.gif

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users