GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Virtumonde hijack

View previous topic View next topic Go down

Virtumonde hijack

Post by Johnny Clamboat on Tue May 05, 2009 10:58 pm

Good evening,

I have a stubborn infection that cannot be deleted with SpyBot or Malware Bytes. It also deactivates my Symantec Anti-Virus. The following files and keys are the ones that keep showing up on the scans:

Files:
C:\Windows\system32\eaxmufm.dll
C:\Windows\Temp\wqtmfcqv.dat

Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud

HKEY_CLASSES_ROOT\CLSID\{67cab31f-58f3-451c-85f7-14f214050504}


Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:19 PM, on 5/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mirra\mirra.watchdog.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mirra\Mirra.Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mirra\Mirra.Client.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\FaxCtrl.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
E:\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Advanced Equities
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67CAB31F-58F3-451C-85F7-14F214050504} - c:\windows\system32\eaxmufm.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9601] command.com /c del "C:\WINDOWS\system32\sdra64.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2001] cmd.exe /c del "C:\WINDOWS\system32\sdra64.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3102] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7752] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1228] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2523] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7084] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
O4 - S-1-5-18 Startup: FaxCtrl.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: VPTray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: FaxCtrl.exe (User 'Default user')
O4 - .DEFAULT Startup: VPTray.exe (User 'Default user')
O4 - Startup: FaxCtrl.exe
O4 - Startup: VPTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Mirra.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: SEAGULL WinJa Java Client 4_0C11 - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\Software\..\Telephony: DomainName = ad.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.corp
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O20 - Winlogon Notify: thqrbvud - C:\WINDOWS\SYSTEM32\eaxmufm.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MirraSync Service (Mirra.Service) - Mirra, Inc. - C:\Program Files\Mirra\Mirra.Service.exe
O23 - Service: Mirra Watchdog Service (Mirra.Watchdog) - Mirra, Inc. - c:\program files\mirra\mirra.watchdog.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7696 bytes


Thank you,

John C

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Tue May 05, 2009 11:09 pm

Hello.
The reason the files won't go away is because they are being locked by a rootkit, called Sentinal. The same goes for the registry keys. If you already have MBAM on the system, I need you to up date it to the latest database, which is able to kill the rootkit. Before doing anything, we need to remove some of the malicious entries in Hijack This.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
    O1 - Hosts: 94.232.248.66 antivguardian.com
    O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {67CAB31F-58F3-451C-85F7-14F214050504} - c:\windows\system32\eaxmufm.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [SpybotDeletingA9601] command.com /c del "C:\WINDOWS\system32\sdra64.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC2001] cmd.exe /c del "C:\WINDOWS\system32\sdra64.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA1363] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3102] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7752] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC1228] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2523] command.com /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC7084] cmd.exe /c del "C:\WINDOWS\system32\elkbpfyj.dll"
    O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
    O20 - Winlogon Notify: thqrbvud - C:\WINDOWS\SYSTEM32\eaxmufm.dll


  • Press "Fix Checked"
  • Close Hijack This.

The latest database as of right now is 2079. Update MBAM, run the scan and post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Johnny Clamboat on Wed May 06, 2009 12:30 am

Hello,

I am unable to update MBAM on the infected computer. I tried loading it onto a jump drive on another computer and transfer it but it did not work.

I am also unable to access any websites. There doesn't appear to be anything wrong with the connection unless I'm missing something; it's the same connection I'm using with the clean system.

Any suggestions?

Thanks.

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Wed May 06, 2009 12:36 am

Hello.
I'll take a wild guess and say you have more than one rootkit here.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Johnny Clamboat on Wed May 06, 2009 12:56 am

Here's the avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Wed May 06, 2009 1:09 pm

Hmmm.
Okay, good work. No rootkit there, but my feelings tell me we'll need to use the avenger again. We will, but we need to find that rootkit that is locking the files. This scanner will find it, and once it has, we can put a stop to it. Smile

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Johnny Clamboat on Wed May 06, 2009 1:22 pm

DDS.txt:


DDS (Ver_09-03-16.01) - NTFSx86
Run by carter.mecham at 9:18:46.95 on Wed 05/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.643 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mirra\mirra.watchdog.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mirra\Mirra.Service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mirra\Mirra.Client.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\FaxCtrl.exe
C:\Documents and Settings\carter.mecham\Start Menu\Programs\Startup\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\carter.mecham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Microsoft Internet Explorer provided by Advanced Equities
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: : {67cab31f-58f3-451c-85f7-14f214050504} - c:\windows\system32\eaxmufm.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\faxctrl.exe
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Cleanup] C:\cleanup.exe
StartupFolder: c:\documents and settings\carter.mecham\start menu\programs\startup\FaxCtrl.exe
StartupFolder: c:\documents and settings\carter.mecham\start menu\programs\startup\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mirra.lnk - c:\program files\mirra\Mirra.Client.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-system: NoVisualStyleChoice = 1 (0x1)
uPolicies-system: NoColorChoice = 1 (0x1)
uPolicies-system: Wallpaper = c:\windows\web\wallpaper\aewallpaper.jpg
uPolicies-system: WallpaperStyle = 2
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRunOnce = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRun = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: SEAGULL WinJa Java Client 4_0C11 - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: thqrbvud - eaxmufm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mtrjmsno;mtrjmsno;c:\windows\system32\drivers\mtrjmsno.sys [2003-3-31 23424]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Mirra.Service;MirraSync Service;c:\program files\mirra\Mirra.Service.exe [2007-9-12 49152]
R2 Mirra.Watchdog;Mirra Watchdog Service;c:\program files\mirra\Mirra.Watchdog.exe [2007-9-12 20480]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061204.017\naveng.sys [2007-8-1 79240]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061204.017\navex15.sys [2007-8-1 831880]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-05-05 20:50 135,168 a------- C:\zip.exe
2009-05-05 20:50 19,286 a------- C:\cleanup.exe
2009-05-05 20:50 574 a------- C:\cleanup.bat
2009-05-05 20:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 20:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-05 11:59 305 a------- c:\windows\wininit.ini
2009-05-04 12:01 --d----- c:\program files\Spybot - Search & Destroy
2009-05-04 12:01 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-22 17:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-22 17:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-22 17:35 --d----- c:\documents and settings\carter.mecham\.SunDownloadManager
2009-04-22 17:17 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-22 15:43 --d----- c:\windows\pss
2009-04-22 09:32 --d----- c:\docume~1\carter~1.mec\applic~1\Malwarebytes
2009-04-22 09:32 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================


============= FINISH: 9:19:08.93 ===============

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Wed May 06, 2009 1:27 pm

That found the little devil. Smile

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
mtrjmsno

Drivers to delete:
mtrjmsno

Files to delete:
c:\windows\system32\drivers\mtrjmsno.sys
c:\windows\system32\eaxmufm.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Johnny Clamboat on Wed May 06, 2009 1:38 pm

Avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "mtrjmsno" disabled successfully.
Driver "mtrjmsno" deleted successfully.
File "c:\windows\system32\drivers\mtrjmsno.sys" deleted successfully.
File "c:\windows\system32\eaxmufm.dll" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thqrbvud" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67cab31f-58f3-451c-85f7-14f214050504}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Wed May 06, 2009 1:40 pm

Okay, that should do it for the rootkit.

Now we have to address the antivirus issue. I see it's Symantec, but it's disabled and outdated. Your leaving yourself wide open to another attack.

Is it a trial version? just a guess.

If it is, it needs to be removed and replaced with something free and easy to update.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Johnny Clamboat on Wed May 06, 2009 1:48 pm

Would you recommend AVG or something else?

Johnny Clamboat
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-04-22
OS : Vista SP1 64x
Points : 27928
# Likes : 0

View user profile

Back to top Go down

Re: Virtumonde hijack

Post by Belahzur on Wed May 06, 2009 1:52 pm

Hello. I recommend Avira.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Then I want to see what's installed so I can direct you on uninstall Symantec.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum