Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Go Away!


  • This topic is locked This topic is locked
3 replies to this topic

#1 BlackDeath

BlackDeath

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 24 February 2006 - 05:55 AM

Im an avid PC gamer. Recently I noticed a process running that wasnt there before called "ftpacc" I have tried just about any and all ways to make it go away It wont shut off so it cant be deleted. All the filekill progs dont work to even make it stop running nor do the delete on reboot progs. Heres my HJT log and a panda scan log and a VBG log for your viewing pleasure. Any help will be greatly appreciated!

HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 3:57:47 AM, on 2/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system\ftpacc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\Brian\LOCALS~1\Temp\ccaptf.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [*ftpacc] C:\WINDOWS\system\ftpacc.exe rerun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.1.4.22/lott...o-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.1.4.22/peak...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.1.4.22/worl...s-ob-assets.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0D2559E-8415-4EC4-8BE4-718E8BC119FB}: NameServer = 205.188.146.145
O20 - Winlogon Notify: accav - C:\DOCUME~1\Brian\LOCALS~1\Temp\vacca.dat
O20 - Winlogon Notify: acdb - C:\DOCUME~1\Brian\LOCALS~1\Temp\bdca.dat
O20 - Winlogon Notify: acutil - C:\DOCUME~1\Brian\LOCALS~1\Temp\lituca.dat
O20 - Winlogon Notify: antivss - C:\DOCUME~1\Brian\LOCALS~1\Temp\ssvitna.dat
O20 - Winlogon Notify: asplay - C:\DOCUME~1\Brian\LOCALS~1\Temp\yalpsa.dat
O20 - Winlogon Notify: bakiis - C:\DOCUME~1\Brian\LOCALS~1\Temp\siikab.dat
O20 - Winlogon Notify: binreg - C:\DOCUME~1\Brian\LOCALS~1\Temp\gernib.dat
O20 - Winlogon Notify: ciis - C:\DOCUME~1\Brian\LOCALS~1\Temp\siic.dat
O20 - Winlogon Notify: cjava - C:\DOCUME~1\Brian\LOCALS~1\Temp\avajc.dat
O20 - Winlogon Notify: dllrun - C:\DOCUME~1\Brian\LOCALS~1\Temp\nurlld.dat
O20 - Winlogon Notify: dllvb - C:\DOCUME~1\Brian\LOCALS~1\Temp\bvlld.dat
O20 - Winlogon Notify: expun - C:\DOCUME~1\Brian\LOCALS~1\Temp\nupxe.dat
O20 - Winlogon Notify: ftpacc - C:\DOCUME~1\Brian\LOCALS~1\Temp\ccaptf.dat
O20 - Winlogon Notify: ftpjava - C:\DOCUME~1\Brian\LOCALS~1\Temp\avajptf.dat
O20 - Winlogon Notify: harddisk - C:\DOCUME~1\Brian\LOCALS~1\Temp\ksiddrah.dat
O20 - Winlogon Notify: imglib - C:\DOCUME~1\Brian\LOCALS~1\Temp\bilgmi.dat
O20 - Winlogon Notify: inetxml - C:\DOCUME~1\Brian\LOCALS~1\Temp\lmxteni.dat
O20 - Winlogon Notify: javabas - C:\DOCUME~1\Brian\LOCALS~1\Temp\sabavaj.dat
O20 - Winlogon Notify: jpegmp3 - C:\DOCUME~1\Brian\LOCALS~1\Temp\3pmgepj.dat
O20 - Winlogon Notify: msdrv - C:\DOCUME~1\Brian\LOCALS~1\Temp\vrdsm.dat
O20 - Winlogon Notify: odbcdos - C:\DOCUME~1\Brian\LOCALS~1\Temp\sodcbdo.dat
O20 - Winlogon Notify: oleimg - C:\DOCUME~1\Brian\LOCALS~1\Temp\gmielo.dat
O20 - Winlogon Notify: svcbin - C:\DOCUME~1\Brian\LOCALS~1\Temp\nibcvs.dat
O20 - Winlogon Notify: sysdvd - C:\DOCUME~1\Brian\LOCALS~1\Temp\dvdsys.dat
O20 - Winlogon Notify: tcpeula - C:\DOCUME~1\Brian\LOCALS~1\Temp\aluepct.dat
O20 - Winlogon Notify: wavenut - C:\DOCUME~1\Brian\LOCALS~1\Temp\tunevaw.dat
O20 - Winlogon Notify: waveps - C:\DOCUME~1\Brian\LOCALS~1\Temp\spevaw.dat
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


Panda scan log:
Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM\FTPACC.EXE
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system\ftpacc.exe
Spyware:Spyware/Virtumonde Not disinfected C:\DOCUME~1\Brian\LOCALS~1\Temp\ccaptf.dat
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brian\Cookies\brian@ad.yieldmanager[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Brian\Cookies\brian@stats1.reliablestats[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\3pmgepj.dat
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\3pmgepj.dat( 1)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ftpacc.exe
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ksiddrah.dat
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\yalpsa.dat
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brian\Cookies\brian@ad.yieldmanager[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Brian\Cookies\brian@stats1.reliablestats[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\3pmgepj.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\aluepct.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\avajc.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\avajptf.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\bdca.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\bilgmi.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\bvlld.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\ccaptf.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\dvdsys.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\gernib.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\gmielo.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\ksiddrah.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\lituca.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\lmxteni.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\nibcvs.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\nupxe.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\nurlld.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\sabavaj.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\siic.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\siikab.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\sodcbdo.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\spevaw.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\ssvitna.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\tunevaw.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\vacca.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\vrdsm.dat
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Brian\Local Settings\Temp\yalpsa.dat
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system\ftpacc.exe

Virtumundo be gone log??


[02/26/2006, 3:54:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Brian\My Documents\VirtumundoBeGone.exe" )
[02/26/2006, 3:54:58] - Detected System Information:
[02/26/2006, 3:54:58] - Windows Version: 5.1.2600,
[02/26/2006, 3:54:58] - Current Username: Brian (Admin)
[02/26/2006, 3:54:58] - Windows is in NORMAL mode.
[02/26/2006, 3:54:58] - Searching for Browser Helper Objects:
[02/26/2006, 3:54:58] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[02/26/2006, 3:54:58] - BHO 2: {13589181-4F0D-4553-B9F8-B4B72172C139} (CATLEvents Object)
[02/26/2006, 3:54:58] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[02/26/2006, 3:54:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/26/2006, 3:54:58] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[02/26/2006, 3:54:58] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[02/26/2006, 3:54:58] - Finished Searching Browser Helper Objects
[02/26/2006, 3:54:58] - Finishing up...
[02/26/2006, 3:54:58] - Nothing found! Exiting...

One says I have it the other dont??? Go figure also I can not delete those temp files in the HJT log either??
:thumbsup:

BC AdBot (Login to Remove)

 


#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:08:14 PM

Posted 25 February 2006 - 03:20 AM

Hi and welcome to BleepingComputer Posted Image

I'm Jet Ian Posted Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 BlackDeath

BlackDeath
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 25 February 2006 - 05:32 PM

Thankyou Jet but go ahead and focus on the people who need it! I fixed it all by doing some extensive research on this forum and following steps provided to others! Ill say this" EWIDO" is a dream come true! It was the only thing that would stop the FTPACC process from running isolate it and set it up to delete on reboot.

MANY PEOPLE COULD SAVE THE FOLKS HERE TIME BY USING THE SEARCH BUTTON! :thumbsup:

#4 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:08:14 PM

Posted 31 March 2006 - 12:19 AM

Since this issue appears resolved... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Jet Ian
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users