Author Topic: Virtumonde? (Read 12374 times)

philgreen81 · « **on:** December 31, 2007, 05:08:16 PM »

I like many others have been having problems with Avast restarting my OS (XP SP2). I have followed many threads mostwith no avail. My reboot.txt file is empty. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, does not contain "PendingFileRenameOperations" on my system. I have also tried RenV method described by essexboy.

I have sent my Ashdisp.exe file to Virustotal and got this report which cerrtainly appears suspicious to say the least.

Antivirus   Version   Last Update   Result
AhnLab-V3   2008.1.1.10   2007.12.31   -
AntiVir   7.6.0.46   2007.12.31   -
Authentium   4.93.8   2007.12.30   W32/Virtumonde.OQ
Avast   4.7.1098.0   2007.12.30   -
AVG   7.5.0.516   2007.12.31   Dropper.Agent.GIT
BitDefender   7.2   2007.12.31   Trojan.Dropper.Vundo.D
CAT-QuickHeal   9.00   2007.12.31   -
ClamAV   0.91.2   2007.12.31   Trojan.Dropper-3531
DrWeb   4.44.0.09170   2007.12.31   Trojan.MulDrop.10006
eSafe   7.0.15.0   2007.12.30   -
eTrust-Vet   31.3.5417   2007.12.31   Win32/Trats.A
Ewido   4.0   2007.12.31   Dropper.Agent.dgo
FileAdvisor   1   2007.12.31   -
Fortinet   3.14.0.0   2007.12.31   -
F-Prot   4.4.2.54   2007.12.31   W32/Virtumonde.OQ
F-Secure   6.70.13030.0   2007.12.31   Trojan-Dropper.Win32.Agent.dgo
Ikarus   T3.1.1.15   2007.12.31   Trojan-Dropper.Win32.Agent.dgo
Kaspersky   7.0.0.125   2007.12.31   Trojan-Dropper.Win32.Agent.dgo
McAfee   5195   2007.12.28   -
Microsoft   1.3109   2007.12.31   Virus:Win32/Trats.C
NOD32v2   2758   2007.12.31   Win32/TrojanDropper.Agent.DGO
Norman   5.80.02   2007.12.31   -
Panda   9.0.0.4   2007.12.31   -
Prevx1   V2   2007.12.31   Dropper.Agent.GIT
Rising   20.24.52.00   2007.12.29   -
Sophos   4.24.0   2007.12.31   W32/VirtInf-B
Sunbelt   2.2.907.0   2007.12.30   -
Symantec   10   2007.12.31   W32.Trats!inf
TheHacker   6.2.9.175   2007.12.29   -
VBA32   3.12.2.5   2007.12.29   Trojan-Dropper.Win32.Agent.dgo
VirusBuster   4.3.26:9   2007.12.31   Win32.Trats.Gen
Webwasher-Gateway   6.6.2   2007.12.31   -

Additional information
File size: 454144 bytes
MD5: cb2cb3558829a0e42b0b80f1583db9db
SHA1: 2e4d3cddd8b7b86660cfa1c360478bd736d2ab6a

This suggests to me in my limited experience that the ashdisp.exe file has been corrupted by one or all of the viruses above? I tried deleting the file and restartting, I still had the same problem, I tried uninstalling and re-installing and still the problem persists. Can anyone please help? I have Avast Home version 4.7.1098 VPS version 071230-0.

Many thanks

Lisandro · « **Reply #1 on:** December 31, 2007, 08:03:37 PM »

Does this tool help?
http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3

essexboy · « **Reply #2 on:** December 31, 2007, 08:13:40 PM »

If you have the "latest" Version of Virtumond you will need to kill all the infected files otherwise it will not go away. sUBs has released a new version of Combofix. I would like you to download and run it. But a word of caution untill it is clean do not reboot your system or any missed will start the whole process all over. The files that are corrupted are recoverable

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Also download but do not use yet

Download RenV.exe by sUBs to your desktop

philgreen81 · « **Reply #3 on:** January 01, 2008, 05:08:36 PM »

Thanks for your advice. The reports are too big for one post so the Hijakthis log will follow. I should add that I seem to have attracted many viruses over the last week or so, most likely through Limewire. I had hoped that Avast would do the job but clearly not 100%. Hmmm there's a lesson there I think.

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1457 [GMT 0:00]
Running from: C:\Documents and Settings\Phil Green\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
c:\program files\steam\steam.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\SRN Micro\SOLOSENT.EXE
C:\SRNMIC~1\SOLOSENT.EXE
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Windows\SMINST\RecGuard.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\fccabcd.dll
C:\WINDOWS\system32\geedc(2).dll
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini2
C:\WINDOWS\system32\jkkkjjk.dll
C:\WINDOWS\system32\jkklihg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjg.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qomkjhh.dll
C:\WINDOWS\system32\UpMedia
C:\winlogon.exe
E:\Autorun.inf
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02

philgreen81 · « **Reply #4 on:** January 01, 2008, 05:15:54 PM »

(2 of 3(?)) For future reference is there an easier way of posting files?

((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2008-01-01 15:13 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-01 14:52 . 2008-01-01 14:52   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2008-01-01 14:52 . 2008-01-01 14:52   <DIR>   d--------   C:\WINDOWS\LastGood.Tmp
2008-01-01 14:52 . 2008-01-01 14:52   30,590   --a------   C:\WINDOWS\system32\pavas.ico
2008-01-01 14:52 . 2008-01-01 14:52   2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2008-01-01 14:52 . 2008-01-01 14:52   1,406   --a------   C:\WINDOWS\system32\Help.ico
2007-12-31 15:37 . 2007-09-24 23:31   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2007-12-31 14:07 . 2007-12-04 12:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-12-31 14:07 . 2007-12-04 14:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-31 14:07 . 2007-12-04 14:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-31 14:07 . 2007-12-04 14:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-31 14:07 . 2007-12-04 14:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-31 14:07 . 2007-12-04 14:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-31 14:06 . 2007-12-04 13:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-12-31 14:06 . 2004-01-09 09:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2007-12-31 10:48 . 2008-01-01 15:17   <DIR>   d--------   C:\SRN Micro
2007-12-30 23:32 . 2007-12-31 10:25   <DIR>   d--------   C:\Program Files\PerformanceTest
2007-12-30 21:50 . 2007-12-31 10:25   <DIR>   d--------   C:\Program Files\AdwareAlert
2007-12-30 21:50 . 2007-12-30 21:50   <DIR>   d--------   C:\Documents and Settings\Phil Green\Application Data\AdwareAlert
2007-12-30 18:16 . 2007-12-30 22:37   <DIR>   d--------   C:\VundoFix Backups
2007-12-30 17:36 . 2007-12-31 10:25   <DIR>   d--------   C:\Program Files\RegistryFix
2007-12-30 17:17 . 2007-12-30 17:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PCPitstop
2007-12-30 14:09 . 2007-12-30 14:09   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-30 14:09 . 2007-12-30 14:09   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-30 14:07 . 2007-12-31 10:26   <DIR>   d--------   C:\Program Files\QuickTime
2007-12-30 14:06 . 2007-12-31 10:26   <DIR>   d--------   C:\Program Files\Apple Software Update
2007-12-11 19:46 . 2007-12-11 19:46   3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 19:46 . 2007-12-11 19:46   524,288   --a------   C:\WINDOWS\system32\DivXsm.exe
2007-12-11 19:46 . 2007-12-11 19:46   4,816   --a------   C:\WINDOWS\system32\divxsm.tlb
2007-12-11 19:45 . 2007-12-11 19:45   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-12-11 19:45 . 2007-12-11 19:45   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-12-11 19:43 . 2007-12-11 19:43   12,288   --a------   C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-11 10:57 . 2007-12-11 10:57   65,536   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57   49,152   --a------   C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 15:17   ---------   d-----w   C:\Program Files\Steam
2008-01-01 14:48   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 15:37   ---------   d-----w   C:\Program Files\Java
2007-12-31 11:56   ---------   d-----w   C:\Program Files\GemMaster
2007-12-31 11:55   251   ----a-w   C:\Program Files\wt3d.ini
2007-12-31 11:52   ---------   d-----w   C:\Program Files\Google
2007-12-31 10:46   ---------   d-----w   C:\Program Files\LimeWire
2007-12-31 10:25   ---------   d-----w   C:\Program Files\PCPitstop
2007-12-30 14:14   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-11 19:46   43,528   ------w   C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-11-20 11:09   134   ----a-w   C:\n.bat
2007-11-18 15:47   ---------   d-----w   C:\Program Files\DivX
2007-11-17 12:22   ---------   d-----w   C:\Program Files\Full Tilt Poker
2007-11-13 14:24   822,272   ----a-w   C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-11-13 14:20   ---------   d-----w   C:\Program Files\DIFX
2007-11-13 14:01   ---------   d-----w   C:\Program Files\Hewlett-Packard
2007-11-13 13:55   35,092,648   ----a-w   C:\Vista upgrade.exe
2007-11-13 13:51   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-13 13:25   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 13:22   ---------   d-----w   C:\Program Files\SystemRequirementsLab
2007-11-07 10:34   ---------   d-----w   C:\Program Files\PartyGaming
2007-11-06 23:57   ---------   d-----w   C:\Program Files\Real
2007-11-06 23:57   ---------   d-----w   C:\Program Files\Common Files\xing shared
2007-11-06 23:57   ---------   d-----w   C:\Program Files\Common Files\Real
2007-11-05 12:08   ---------   d-----w   C:\Documents and Settings\Phil Green\Application Data\CyberLink
2007-11-05 12:07   ---------   d-----w   C:\Program Files\Guild Wars
2007-11-04 18:35   ---------   d-----w   C:\Program Files\PacificPoker4
2007-11-02 18:05   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-02 18:05   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2007-11-02 18:04   ---------   d-----w   C:\Documents and Settings\Phil Green\Application Data\InstallShield
2007-11-02 18:03   ---------   d-----w   C:\Program Files\HP
2007-11-02 14:52   675,579   ----a-w   C:\WINDOWS\PROGRAM.exe
2007-11-02 14:52   177,480   ----a-w   C:\WINDOWS\distro_SelectRebatesSetup_um1002.exe
.

Code: [Select]

----a-w            79,224 2008-01-01 14:48:30  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w            81,920 2008-01-01 14:48:21  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           221,184 2007-12-31 15:47:30  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w           185,896 2008-01-01 14:48:23  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           171,448 2008-01-01 14:48:32  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w            40,960 2007-12-31 15:47:26  C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe
----a-w            49,152 2008-01-01 14:48:22  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           102,400 2008-01-01 14:48:18  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w            75,520 2007-12-31 14:55:52  C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
----a-w         1,694,208 2007-12-31 11:55:23  C:\Program Files\Messenger\msmsgs .exe
----a-w         1,266,936 2008-01-01 14:48:37  C:\Program Files\Steam\steam .exe
----a-w         1,015,808 2008-01-01 14:48:17  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w           102,400 2007-12-31 15:47:31  C:\Program Files\Synaptics\SynTP\SynTPStart .exe
----a-w           204,288 2008-01-01 14:48:33  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w           303,104 2007-12-31 14:51:37  C:\SRN Micro\SOLOCFG .EXE
----a-w            77,824 2008-01-01 14:48:27  C:\SRN Micro\SOLOSENT .EXE
----a-w            64,512 2008-01-01 14:48:11  C:\WINDOWS\ehome\ehtray .exe
----a-w           839,695 2008-01-01 14:48:27  C:\WINDOWS\Fonts\svchost .exe
----a-w         1,187,840 2007-12-31 15:47:30  C:\WINDOWS\SMINST\RecGuard .exe
----a-w            15,360 2008-01-01 14:48:32  C:\WINDOWS\system32\ctfmon .exe

philgreen81 · « **Reply #5 on:** January 01, 2008, 05:18:03 PM »

(3 of 3)
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Steam"="c:\program files\steam\steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [ ]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 09:32 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [ ]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 13:47 173360]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [ ]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [ ]
"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 20:58 86016]
"nwiz"="nwiz.exe" [2006-07-20 20:58 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 15:14:00]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-11-30 03:25:02]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 16:39:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 23:49]
S0 Spssys;Toshiba SPS Service;C:\WINDOWS\system32\drivers\spssys.sys []
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 20:39]
S3 MODBDA2;DiBcom MOD3000 TV receiver;C:\WINDOWS\system32\Drivers\modbda2.sys [2006-07-16 06:27]
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2007-02-25 14:42]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 10:18:50 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert .ex
- C:\Program Files\AdwareAlert
"2007-12-30 14:07:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-01 14:52:12 C:\WINDOWS\Tasks\User_Feed_Synchronization-{805A47BE-DB5F-4E09-82A4-199856E9AA86}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 15:20:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 15:23:10 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 15:23:07
.
2007-11-02 13:48:36 --- E O F ---

philgreen81 · « **Reply #6 on:** January 01, 2008, 05:21:06 PM »

(1 of 2)
Logfile of HijackThis v1.99.1
Scan saved at 15:33:11, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1198088742&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=pavilion&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

philgreen81 · « **Reply #7 on:** January 01, 2008, 05:22:42 PM »

(2 of 2) I hope this means more to you than it does me.

Regards

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=pavilion&pf=laptop
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193332600968
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193332853468
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

Lisandro · « **Reply #8 on:** January 01, 2008, 06:23:23 PM »

Quote from: essexboy on December 31, 2007, 08:13:40 PM

Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you.

For me, nothing happens... Does it work on Vista?
It keeps in a blank cmd window of the Administrator.[/list]

oldman · « **Reply #9 on:** January 01, 2008, 06:33:40 PM »

FAIKi t's not vista compatable.

essexboy · « **Reply #10 on:** January 01, 2008, 06:39:47 PM »

You have the new version of Vundo

Copy the entire contents of the Code Box below to Notepad.
Name the file as Log.txt (Overwrite the existing one)
Change the Save as Type to All Files
and Save it on the desktop

Code: [Select]

 ----a-w            79,224 2008-01-01 14:48:30  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w            81,920 2008-01-01 14:48:21  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           221,184 2007-12-31 15:47:30  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w           185,896 2008-01-01 14:48:23  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           171,448 2008-01-01 14:48:32  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w            40,960 2007-12-31 15:47:26  C:\Program Files\Hewlett-Packard\Default Settings\cpqset .exe
----a-w            49,152 2008-01-01 14:48:22  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           102,400 2008-01-01 14:48:18  C:\Program Files\HP\QuickPlay\QPService .exe
----a-w            75,520 2007-12-31 14:55:52  C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
----a-w         1,694,208 2007-12-31 11:55:23  C:\Program Files\Messenger\msmsgs .exe
----a-w         1,266,936 2008-01-01 14:48:37  C:\Program Files\Steam\steam .exe
----a-w         1,015,808 2008-01-01 14:48:17  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w           102,400 2007-12-31 15:47:31  C:\Program Files\Synaptics\SynTP\SynTPStart .exe
----a-w           204,288 2008-01-01 14:48:33  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w           303,104 2007-12-31 14:51:37  C:\SRN Micro\SOLOCFG .EXE
----a-w            77,824 2008-01-01 14:48:27  C:\SRN Micro\SOLOSENT .EXE
----a-w            64,512 2008-01-01 14:48:11  C:\WINDOWS\ehome\ehtray .exe
----a-w           839,695 2008-01-01 14:48:27  C:\WINDOWS\Fonts\svchost .exe
----a-w         1,187,840 2007-12-31 15:47:30  C:\WINDOWS\SMINST\RecGuard .exe
----a-w            15,360 2008-01-01 14:48:32  C:\WINDOWS\system32\ctfmon .exe

Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.

essexboy · « **Reply #11 on:** January 01, 2008, 06:43:49 PM »

I forgot to add that until this is finished do not reboot or start any other programme unless I say as it will infect/reinfect them

Lisandro · « **Reply #12 on:** January 01, 2008, 06:58:22 PM »

essexboy, any tool to scan my Vista system?

essexboy · « **Reply #13 on:** January 01, 2008, 07:00:08 PM »

What are you looking for ? Anything specific ?

oldman · « **Reply #14 on:** January 01, 2008, 07:02:08 PM »

Here Tech, essexboy probaly has more

http://forums.thatcomputerguy.us/index.php?showtopic=21427

Author Topic: Virtumonde? (Read 12374 times)

philgreen81

Virtumonde?

Lisandro

Re: Virtumonde?

essexboy

Re: Virtumonde?

philgreen81

Re: Virtumonde?

philgreen81

Re: Virtumonde?

philgreen81

Re: Virtumonde?

philgreen81

Re: Virtumonde?

philgreen81

Re: Virtumonde?

Lisandro

Re: Virtumonde?

oldman

Re: Virtumonde?

essexboy

Re: Virtumonde?

essexboy

Re: Virtumonde?

Lisandro

Re: Virtumonde?

essexboy

Re: Virtumonde?

oldman

Re: Virtumonde?