Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91863 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] INFECTED WINTH VIRTUMONDE.FP VIRUS


  • This topic is locked This topic is locked
2 replies to this topic

#1 DAREDEVIL

DAREDEVIL

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 01 April 2008 - 08:50 AM

ComboFix 08-03-30.5 - SSNET01 2008-04-01 20:06:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT 5.5:30]
Running from: C:\Documents and Settings\SSNET01\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SSNET01\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\mljge.exe
C:\WINDOWS\system32\vxkiisva.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4f8db374.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\regsvr.exe
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\ehgpeiuq.dll
C:\WINDOWS\system32\gebaayw.dll
C:\WINDOWS\system32\hwqaornt.dll
C:\WINDOWS\system32\jedbxheq.dll
C:\WINDOWS\system32\kgdytfrg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\ovvmykfj.dll
C:\WINDOWS\system32\pjqffqhr.dll
C:\WINDOWS\system32\rallbpku.ini
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\sckprsqw.dll
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\ukpbllar.dll
C:\WINDOWS\system32\winhelp.exe
C:\WINDOWS\system32\ygcxcsju.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 19:50 . 2008-04-01 19:50 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\ESET
2008-04-01 19:49 . 2008-04-01 19:50 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-01 19:32 . 2008-04-01 19:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-30 21:35 . 2008-03-30 21:35 <DIR> d-------- C:\Program Files\Infinisys Ltd
2008-03-30 17:24 . 2008-03-31 17:25 1,570,892 --ahs---- C:\WINDOWS\system32\avnlsgih.ini
2008-03-29 17:25 . 2008-03-30 13:09 1,586,970 --ahs---- C:\WINDOWS\system32\illfpmja.ini
2008-03-28 17:31 . 2008-03-29 16:50 1,585,172 --ahs---- C:\WINDOWS\system32\umqpwomn.ini
2008-03-28 12:37 . 2008-03-28 12:37 315,915 --a------ C:\acadminidump.dmp
2008-03-27 17:24 . 2008-03-28 17:25 1,584,452 --ahs---- C:\WINDOWS\system32\gcfyynmk.ini
2008-03-27 17:18 . 2008-03-27 17:18 273,920 --a------ C:\WINDOWS\system32\mljge.dll
2008-03-27 14:55 . 2008-03-27 14:55 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\Bitstream
2008-03-26 20:21 . 2008-03-26 20:21 <DIR> d-------- C:\Program Files\Webroot
2008-03-26 20:21 . 2008-03-26 20:21 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\Webroot
2008-03-26 20:21 . 2008-03-26 20:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-26 20:21 . 2008-03-26 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-26 20:21 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-26 20:21 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-26 20:21 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-26 20:21 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-26 20:21 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-26 20:04 . 2008-03-26 20:07 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-26 20:04 . 2008-03-29 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-26 20:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-03-26 20:03 . 2008-03-26 20:03 <DIR> d-------- C:\Program Files\MSBuild
2008-03-26 20:00 . 2008-03-26 20:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-26 19:59 . 2008-03-26 19:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-26 19:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-03-26 19:54 . 2008-03-26 20:08 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-26 19:54 . 2008-03-26 19:54 <DIR> d-------- C:\Program Files\Autodesk
2008-03-26 19:54 . 2008-03-29 10:57 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\Autodesk
2008-03-26 18:01 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-26 18:01 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-26 18:00 . 2008-03-26 18:00 <DIR> d--h----- C:\Program Files\Zenographics
2008-03-26 18:00 . 2008-03-26 18:00 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-26 18:00 . 2007-05-18 20:30 430,080 -ra------ C:\WINDOWS\system32\zshp1018.exe
2008-03-26 18:00 . 2007-05-18 20:30 143,360 -ra------ C:\WINDOWS\apptune1018.exe
2008-03-26 18:00 . 2007-05-18 20:30 128,380 -ra------ C:\WINDOWS\system32\hp1018.img
2008-03-26 18:00 . 2007-05-18 20:30 106,496 -ra------ C:\WINDOWS\system32\ZSPOOL.dll
2008-03-26 18:00 . 2007-05-18 20:30 102,400 -ra------ C:\WINDOWS\system32\zlhp1018.dll
2008-03-26 18:00 . 2007-05-18 20:30 61,440 -ra------ C:\WINDOWS\system32\zIMF.dll
2008-03-26 18:00 . 2007-05-18 20:30 53,248 -ra------ C:\WINDOWS\system32\ztag.dll
2008-03-26 18:00 . 2007-05-18 20:30 10,632 -ra------ C:\WINDOWS\system32\ZSHP1018.chm
2008-03-26 11:52 . 2008-03-26 11:52 <DIR> d-------- C:\WINDOWS\Sun
2008-03-26 10:39 . 2008-03-26 10:39 <DIR> d---s---- C:\Documents and Settings\SSNET01\UserData
2008-03-26 09:32 . 2008-03-26 09:32 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\vlc
2008-03-26 09:27 . 2008-03-26 09:27 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\Corel
2008-03-26 09:27 . 2008-04-01 10:48 2,516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-26 09:27 . 2008-04-01 10:48 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\36386BF1F5.sys
2008-03-26 09:14 . 2008-03-26 09:14 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-03-26 09:14 . 2008-03-26 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-03-26 09:12 . 2008-03-26 09:12 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-03-26 09:11 . 2008-03-26 09:11 <DIR> d-------- C:\Program Files\Corel
2008-03-24 13:00 . 2001-08-17 13:48 17,664 --a------ C:\WINDOWS\system32\drivers\sermouse.sys
2008-03-24 13:00 . 2001-08-17 13:48 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-03-23 18:28 . 2008-03-23 18:28 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\AdobeUM
2008-03-23 18:01 . 2008-03-23 18:01 <DIR> d-------- C:\Program Files\uTorrent
2008-03-23 18:01 . 2008-03-31 17:19 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\uTorrent
2008-03-23 16:30 . 2008-03-23 16:30 <DIR> d-------- C:\Documents and Settings\SSNET01\Application Data\Media Player Classic
2008-03-23 16:26 . 2008-03-23 16:26 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-22 12:28 . 2008-03-22 12:28 <DIR> d-------- C:\Program Files\DX-Ball

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 14:19 --------- d-----w C:\Program Files\ESET
2008-04-01 14:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-03-20 08:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 08:13 --------- d-----w C:\Documents and Settings\SSNET01\Application Data\Rediff.com
2008-03-20 08:12 --------- d-----w C:\Program Files\Rediff Toolbar
2008-03-20 08:12 --------- d-----w C:\Program Files\Rediff Bol
2008-03-20 08:11 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-20 08:11 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-20 08:11 --------- d-----w C:\Program Files\Real
2008-03-20 08:11 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-20 08:11 --------- d-----w C:\Program Files\Common Files\Real
2008-03-20 08:10 --------- d-----w C:\Program Files\VideoLAN
2008-03-20 08:10 --------- d-----w C:\Program Files\Java
2008-03-20 08:09 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-20 08:08 --------- d-----w C:\Program Files\Common Files\Java
2008-03-20 08:08 --------- d-----w C:\Program Files\Acesoft
2008-03-20 08:07 --------- d-----w C:\Program Files\Yahoo!
2008-03-20 08:07 --------- d-----w C:\Program Files\MSN Messenger
2008-03-20 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-20 08:06 --------- d-----w C:\Program Files\Google
2008-03-20 08:04 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-20 08:03 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-20 07:57 --------- d-----w C:\Program Files\VIA
2008-03-20 07:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 07:55 --------- d-----w C:\Program Files\S3
2008-03-20 07:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-20 07:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-20 05:41 71,176 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-02-20 05:41 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-02-20 05:41 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-02-20 05:32 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 05:31 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-09 23:39 13,464 ----a-w C:\WINDOWS\system32\AcSignExtRes.dll
2008-02-09 23:38 43,160 ----a-w C:\WINDOWS\system32\AcSignIcon.dll
2008-02-09 23:38 426,136 ----a-w C:\WINDOWS\system32\AcSignOpt.exe
2008-02-09 23:38 28,312 ----a-w C:\WINDOWS\system32\AcSignExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9983F1F-5E82-4B7F-9620-B60D8174B488}]
2008-03-27 17:18 273920 --------- C:\WINDOWS\system32\mljge.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 14:06 53248 C:\WINDOWS\system32\VTTimer.exe]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2007-06-29 15:21 811008]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-20 13:41 185896]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2007-05-18 20:30 98304]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-02-20 11:06 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger"="C:\WINDOWS\system32\regsvr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaayw]
gebaayw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljge.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reboot.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe
backup=C:\WINDOWS\pss\Reboot.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4cbe80e8]
C:\WINDOWS\system32\ukpbllar.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f8db374]
C:\WINDOWS\system32\hwqaornt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 12:56]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 09:06]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 12:56]
R2 PSI_SVC_2;Protexis Licensing V2;"c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 09:28]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-07-11 10:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 12:57:25 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\winhelp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 20:11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\mljge.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-01 20:14:48 - machine was rebooted [SSNET01]
ComboFix-quarantined-files.txt 2008-04-01 14:44:37
Pre-Run: 4,656,570,368 bytes free
Post-Run: 4,569,718,784 bytes free

    Advertisements

Register to Remove


#2 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 06 April 2008 - 01:02 PM

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\avnlsgih.ini
C:\WINDOWS\system32\illfpmja.ini
C:\WINDOWS\system32\umqpwomn.ini
C:\WINDOWS\system32\gcfyynmk.ini
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\system32\winhelp.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9983F1F-5E82-4B7F-9620-B60D8174B488}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaayw]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4cbe80e8]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f8db374]


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Post also a hjt log (instructions below in case you need it).


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Getting HijackThis log
----------------------

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#3 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 13 April 2008 - 01:34 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users