Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 13th, 2008, 9:28pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Virtumonde Eldorado Trojan - Help with removal?		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Virtumonde Eldorado Trojan - Help with removal?  (Read 723 times)
KG4ONJ
Newbie
*





   


Posts: 9
Virtumonde Eldorado Trojan - Help with removal?
« on: Jul 26th, 2008, 7:21am »		 Quote Quote  Modify Modify
Hello!
 
I discovered a couple of days ago that my computer's performance took a nose dive and after inspecting a bit I found that I have a trojan (or some type of malware) that is keeping the processor busy all the time.  It is also blocking access to some websites.  I'm getting lots of popups both IE and Firefox (I primarily use Firefox).
 
I first did a scan with F-PROT and this is what I found:
 
Found security risk: W32/Virtumonde.AB.gen!Eldorado (not disinfectable, generic)
Filename: opnkhgEu.dll
Found security risk: W32/Virtumonde.AB.gen!Eldorado (not disinfectable, generic)
Filename: OPNKHGEU.DLL
 
After reading some of the other messages in this forum I downloaded Hijack This and Trojan Hunter.  I booted in to safe mode and ran a full TH scan - here are the results:
 
TrojanHunter Scan Report - Saved 2008-07-26 06:48
 
Found trojan file: C:\WINDOWS\system32\fccArOHY.dll (Generic.Vundo.B)
Unable to quarantine file C:\WINDOWS\system32\fccArOHY.dll: Scheduling file to be quarantined when computer is restarted
 
After that I booted up normally and ran the HJT scan - here are the results:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:52 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [BMff500078] Rundll32.exe "C:\WINDOWS\system32\wsfmxdmp.dll",s
O4 - HKLM\..\Run: [fc6333e4] rundll32.exe "C:\WINDOWS\system32\lkncicjm.dll",b
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1201904133937
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 7327 bytes
 
Thanks for any help you can offer!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #1 on: Jul 26th, 2008, 8:20am »		 Quote Quote  Modify Modify
Welcome to the forum Kg4ONJ  Cheesy
 
Even though TrojanHunter found one problem, it appears not have found them all.  Please do the following:
 
1.  Please make all of your files and folders visible via the procedure in the link below.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Submit the following files to Mischel Internet Security for analysis.  The link below describes how to submit a file.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Files to submit:
 
wsfmxdmp.dll
lkncicjm.dll
 
(Both are in your C:\Windows\System32 folder)
 
3.  Go to the link below and download program Combofix.exe and save it on your desktop.  
   
http://download.bleepingcomputer.com/sUBs/ComboFix.exe  
   
4.  Temporarily de-activate all your security programs EXCEPT your software firewall.  
   
5.  Close down as many programs as you can (programs in the Notification Tray-  next to the clock).  
   
6.  Close your browser.  
   
7.  Double click on Combofix.exe desktop icon to execute it and follow the instructions.  
 
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
   
-  When Combofix.exe is finished, it will save a log file on your system.    
   
8.  Post the Combofix log back here    
   
9.  Run Hijackthis and post a HiJackthis scan log back here.  DO NOT fix anything with HJT...just post the scan log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #2 on: Jul 26th, 2008, 10:29am »		 Quote Quote  Modify Modify
Thanks for the quick reply!  I emailed the requested files and have run both Combofix.exe and HJT.  Here are the results:
 
ComboFix 08-07-25.7 - Michael Barr 2008-07-26 10:12:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1984 [GMT -4:00]
Running from: C:\Documents and Settings\Michael Barr\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
 
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\Michael Barr\Application Data\macromedia\Flash Player\#SharedObjects\A29RKKVT\interclick.com
C:\Documents and Settings\Michael Barr\Application Data\macromedia\Flash Player\#SharedObjects\A29RKKVT\interclick.com\ud.sol
C:\Documents and Settings\Michael Barr\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Michael Barr\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.s ol
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\BMff500078.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abwdcjfl.ini
C:\WINDOWS\system32\aymrciqe.ini
C:\WINDOWS\system32\bgiytbeg.dll
C:\WINDOWS\system32\dlypjf.dll
C:\WINDOWS\system32\eifctcxw.dll
C:\WINDOWS\system32\fccArOHY.dll
C:\WINDOWS\system32\foimrpdq.dll
C:\WINDOWS\system32\garbyokv.dll
C:\WINDOWS\system32\hmoshz.dll
C:\WINDOWS\system32\kbqdebou.ini
C:\WINDOWS\system32\kvhfvxec.dll
C:\WINDOWS\system32\lfjcdwba.dll
C:\WINDOWS\system32\lkncicjm.dll
C:\WINDOWS\system32\lvxxrqda.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjcicnkl.ini
C:\WINDOWS\system32\mkuwjaeu.dll
C:\WINDOWS\system32\ngsnvsxw.dll
C:\WINDOWS\system32\rbxkebxx.dll
C:\WINDOWS\system32\sohsfbeq.dll
C:\WINDOWS\system32\toblsmxx.dll
C:\WINDOWS\system32\vvseqdqe.dll
C:\WINDOWS\system32\wfhbkagt.dll
C:\WINDOWS\system32\wsfmxdmp.dll
C:\WINDOWS\system32\wwcjys.dll
C:\WINDOWS\system32\xahjbjqh.dll
C:\WINDOWS\system32\xmdonots.dll
C:\WINDOWS\system32\xxbekxbr.ini
C:\WINDOWS\system32\yaqlyc.dll
C:\WINDOWS\system32\yevetrkk.dll
C:\WINDOWS\system32\YHOrAccf.ini
C:\WINDOWS\system32\YHOrAccf.ini2
C:\WINDOWS\system32\yuxtvdry.dll
 
.
(((((((((((((((((((((((((   Files Created from 2008-06-26 to 2008-07-26  )))))))))))))))))))))))))))))))
.
 
2008-07-26 09:49 . 2008-07-26 09:49<DIR>d--------C:\WINDOWS\system32\KG4ONJ
2008-07-26 09:40 . 2008-07-26 09:48162,914--a------C:\WINDOWS\system32\KG4ONJ.zip
2008-07-26 09:39 . 2008-07-26 09:39162,848--a------C:\WINDOWS\system32\wsfmxdmp.zip
2008-07-26 06:49 . 2008-07-26 06:49<DIR>d--------C:\Documents and Settings\Michael Barr\Application Data\TrojanHunter
2008-07-25 18:59 . 2008-07-25 18:59<DIR>d--------C:\Documents and Settings\Administrator
2008-07-25 18:13 . 2008-07-25 18:22<DIR>d--------C:\Program Files\TrojanHunter 5.0
2008-07-25 18:03 . 2008-07-25 18:03<DIR>d--------C:\WINDOWS\E58B329BFB28487490DE0D7CB2709267.TMP
2008-07-25 17:56 . 2008-07-25 17:56<DIR>d--------C:\Program Files\Trend Micro
2008-07-25 17:42 . 2008-07-25 17:4291,700--a------C:\WINDOWS\system32\drivers\klin.dat
2008-07-25 17:42 . 2008-07-25 17:4285,860--a------C:\WINDOWS\system32\drivers\klick.dat
2008-07-25 17:33 . 2008-07-25 17:33<DIR>d--------C:\Program Files\Kaspersky Lab
2008-07-25 17:33 . 2008-07-26 07:46<DIR>d--------C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-25 17:33 . 2008-07-26 11:05286,752--ahs----C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-25 17:33 . 2008-07-26 10:5811,552--ahs----C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-25 17:33 . 2008-07-26 10:536,428--ahs----C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-25 17:33 . 2008-07-26 10:532,084--ahs----C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-25 17:27 . 2008-07-25 17:27<DIR>d--------C:\kav
2008-07-24 22:34 . 2008-07-24 22:34<DIR>d--------C:\Documents and Settings\Michael Barr\Application Data\FRISK Software
2008-07-24 22:25 . 2008-07-24 22:25<DIR>d--------C:\Program Files\FRISK Software
2008-07-24 22:25 . 2008-07-24 22:25<DIR>d--------C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-07-24 22:25 . 2008-03-28 14:06592,224--a------C:\WINDOWS\system32\drivers\FStopW.sys
2008-07-23 22:37 . 2008-07-23 22:37<DIR>d--------C:\Program Files\Lavasoft
2008-07-23 22:37 . 2008-07-23 22:39<DIR>d--------C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-23 14:45 . 2008-07-25 17:14111,541--a------C:\WINDOWS\BMff500078.xml
2008-07-23 14:39 . 2008-07-23 14:3926,112--a------C:\WINDOWS\system32\opnkhgEu.dll
2008-07-20 08:33 . 2008-07-20 08:33<DIR>d--------C:\Psfonts
2008-07-20 08:33 . 2008-07-23 22:37<DIR>d--------C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 08:32 . 2008-07-20 21:47<DIR>d--------C:\Program Files\Finale 2003
2008-07-20 08:32 . 2008-07-20 08:32702--a------C:\WINDOWS\winiini.fin
2008-07-20 08:03 . 2008-07-20 08:03<DIR>d--------C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-07-20 08:03 . 2008-07-20 08:03604--ah-----C:\WINDOWS\T4
2008-07-20 08:03 . 2008-07-20 08:03604--ah-----C:\WINDOWS\system32\T3
2008-07-19 07:12 . 2008-07-20 08:04<DIR>d--------C:\Documents and Settings\Michael Barr\Application Data\Sibelius Software
2008-07-19 07:09 . 2008-07-20 07:58<DIR>d--------C:\Program Files\Sibelius Software
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 05:39---------d-----wC:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-24 05:38---------d-----wC:\Program Files\Google
2008-07-20 12:03604---ha-wC:\Program Files\STLL Notifier
2008-07-11 03:08---------d-----wC:\Documents and Settings\Michael Barr\Application Data\U3
2008-06-20 02:43---------d-----wC:\Program Files\Kjpro
2008-06-15 20:41---------d-----wC:\Program Files\Microsoft ActiveSync
2008-06-15 20:40---------d-----wC:\Program Files\Microsoft Office XP
2008-06-15 20:27---------d-----wC:\Program Files\Access 97 Runtime
2008-06-15 19:54---------d-----wC:\Program Files\Karaoke Song List Creator
2008-06-15 15:57---------d-----wC:\Program Files\Common Files\cdrdao
2008-06-15 15:21539,648--sh--wC:\Program Files\Common Files\msdp.dll
2008-06-15 15:21---------d-----wC:\Program Files\Doblon
2008-06-15 03:39---------d-----wC:\Documents and Settings\Michael Barr\Application Data\CoreFTP
2008-06-14 02:07---------d-----wC:\Program Files\Chartcross
2008-06-12 02:48---------d-----wC:\Documents and Settings\Michael Barr\Application Data\GARMIN
2008-06-08 13:47---------d-----wC:\Program Files\Motorola
2008-06-08 13:47---------d-----wC:\Program Files\Common Files\Motorola Shared
2008-06-06 18:2718,880----a-wC:\Documents and Settings\Michael Barr\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:5812,632----a-wC:\WINDOWS\system32\lsdelete.exe
2008-04-25 18:325,817,064----a-wC:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018B27FF-E05F-4CB5-8763-540CB3FD457A}]
2008-07-23 14:3926112--a------C:\WINDOWS\system32\opnkhgEu.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 04:17 25088 C:\WINDOWS\MIDIDEF.EXE]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12 90112]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ 5000MUI.exe" [2007-04-03 09:54 753664]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 11:00 241714]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 02:26 49152]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 17:46 53248]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 15:25 1597832]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-07-09 18:54 1056928]
"CTHelper"="CTHELPER.EXE" [2005-05-24 04:28 16384 C:\WINDOWS\CTHELPER.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-02-02 01:13:58 49254]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-27 14:36:53 124400]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-01 18:19:17 692224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"= "C:\WINDOWS\system32\opnkhgEu.dll" [2008-07-23 14:39 26112]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhgEu]
2008-07-23 14:39 26112 C:\WINDOWS\system32\opnkhgEu.dll
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"=
"C:\\Program Files\\DXport\\DXPort.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\TADemo\\SERVER.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\kav\\kav7\\setup.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
 
R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\DRIVERS\FStopW.sys [2008-03-28 14:06]
R2 FPAVServer;F-PROT Antivirus for Windows system;C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [2008-04-21 21:26]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2007-03-22 19:04]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2005-06-14 22:01]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys [2002-07-01 19:30]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2004-01-29 02:32]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 ousb2hub;OrangeWare USB 2.0 Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2005-06-14 22:01]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49a8b38-eebc-11dc-956b-00112fdd6d54}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{2CD3F99A-B8E0-48D1-9939-1A8F78756C14} - C:\Documents and Settings\Michael Barr\Local Settings\Temporary Internet Files\Content.IE5\9WLWY02E\3077ahntdksr[1].dll
HKLM-Run-BMff500078 - C:\WINDOWS\system32\wsfmxdmp.dll
HKLM-Run-fc6333e4 - C:\WINDOWS\system32\lkncicjm.dll
 
 
.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll
 
 
************************************************************************ **
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 11:02:10
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
************************************************************************ **
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnkhgEu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
************************************************************************ **
.
Completion time: 2008-07-26 11:13:39 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-26 15:11:57
 
Pre-Run: 43,649,208,320 bytes free
Post-Run: 44,718,661,632 bytes free
 
231--- E O F ---2008-06-21 10:00:35
IP Logged
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #3 on: Jul 26th, 2008, 10:29am »		 Quote Quote  Modify Modify
And the HJT Log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:05 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.1660Cool
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office XP\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office XP\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - C:\WINDOWS\system32\opnkhgEu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1201904133937
O20 - Winlogon Notify: opnkhgEu - C:\WINDOWS\SYSTEM32\opnkhgEu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 7674 bytes
IP Logged
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #4 on: Jul 26th, 2008, 10:34am »		 Quote Quote  Modify Modify
Performance seems to be back somewhat, but not 100%.  Can you recommend an antivirus/anti-mal/adware software package so that I can try to avoid this happening again?
 
I have the feeling there's more hanging around here..
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #5 on: Jul 26th, 2008, 11:53am »		 Quote Quote  Modify Modify
Combofix found many, many infections and deleted them.  However, there is still an infection showing up which is C:\WINDOWS\system32\opnkhgEu.dll
 
Please do the following.
 
1.  Delete Combofix.exe from your desktop
 
2.  Delete the Combofix log file.
 
3.  Delete the Combofix quarantine folder from your C drive.  This is a folder named Qoobox.  It is probably at the root directory C:\.  
 
4.  Once you get the above deleted from your system, please run a remote online scan using Bit Defender.  The link below is for the online scanner.  Note that to get the online scanner started, you just click on the red "I agree" on the webpage.  
 
http://www.bitdefender.com/scan8/ie.html
 
-  Use Internet Explorer to access the link.  Bit Defender will need to download an ActiveX component for the scanner.  Please let it do so.
 
-  Temporarily disable all your security programs except your firewall.  
 
-  Close down as many programs as you can (the icons next to the task bar clock).
 
-  BE SURE to scan your entire computer with the online scanner.
 
-  Bit Defender will attempt to delete any infections it finds during the scan.  
 
5.  Once Bit Defender is completed, please post back here the Bit Defender scan log.
 
6.  Run a new HJT scan and post the log.
 
Once we get you cleaned up, then I can provide some guidance on how to keep yourself more reliably protected. Okay?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #6 on: Jul 26th, 2008, 6:29pm »		 Quote Quote  Modify Modify
Thanks so much for your help!  I ran the BitDefender online scanner as well as a new HJT scan.  Looks like it picked up a fair amount of junk, mostly emails in my deleted folder.  Here are the results:
 
http://www.barr.ws/download/BitDefenderScan.html (it was far too long to post here so I just uploaded it to my server)
 
HJT Log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:23 PM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1201904133937
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 7731 bytes
 
Thanks a ton!
« Last Edit: Jul 26th, 2008, 6:34pm by KG4ONJ » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #7 on: Jul 27th, 2008, 1:37am »		 Quote Quote  Modify Modify
You are very welcome.  Wink
 
First of all, many of the infections found by Bit Defender in your email were from greeting card emails.  Greeting cards are notorious for having a malicious payload.  When you get an email with a greeting card attachment, regardless of who it is from, do not even open it.  The odds are great that it will infect your machine.  Delete it immediately.  Ask your friends and family not to send greeting cards to you via email or to direct you to go to greeting card websites.   Wink
 
Below is an example of a user receiving an infected Hallmark e-card.  The jotti scan shows that the card is malicious.  Notice also that F-Prot did not find anything.
 
http://www.virustotal.com/analisis/60c22a2528a93eca979e775e543a0ea1
 
Now the good news-  Your HJT scan log is clean.  So now lets do some cleanup work.
 
1.  Your System Restore files will have become severely infected during all this.  Please follow the procedure in the link below to clean out System Restore.
 
http://www.misec.net/forum/board/FAQ/1139255588
 
2.  Your Java applet is really out-of-date.  For security reasons, you need to update to the latest Java Update 7.  The link below provides a freebie tool that does this job for you.  
 
http://www.misec.net/forum/board/FAQ/1216543051
 
3.  I strongly suspect that you have an infected HOSTS file on your system because of all the nasty critters that the cybercriminals, graciously and without any fanfare, have given you.  This would cause you to be unable to access certain webpages and to be redirected to bad/malicious websites.    
 
Note that none of the scanning programs that you have used have the logic to test and repair the HOSTS file.  
 
Would you please check the following:  
 
a.  First of all, make all your files and folders visible per the instructions in the link below.  
 
http://www.misec.net/forum/board/FAQ/1139610900  
 
b.  Then using Windows Explorer, navigate to folder etcwhich is at C:\Windows\System32\drivers\etc.  
 
c.  Open folder etc
 
d.  Locate the file named HOSTS (with no extension...just HOSTS)  
 
e.  Right click on HOSTS and open it with NOTEPAD.    
 
f.  The very first operational entry should be  
  
127.0.0.1     localhost
 
- Note that lines starting with a # are comment lines and are not operational.    
 
g.  Every operational entry after 127.0.0.1     localhost should start with 127.0.0.1.  Example below:  
 
Quote:

127.0.0.1  localhost  
127.0.0.1  ad.a8.net  
127.0.0.1  asy.a8ww.net  
127.0.0.1 www.aaa-livedoor.net  #[Trojan-PSW.Win32.Maran.ei]  
127.0.0.1 www.abx4.com  #[Adware.ABXToolbar]  
127.0.0.1  acezip.net  #[SiteAdvisor.acezip.net]  
127.0.0.1 www.acezip.net  #[Win32/Adware.180Solutions]  
127.0.0.1  phpadsnew.abac.com  
127.0.0.1  a.abnad.net  
127.0.0.1  b.abnad.net  
127.0.0.1  c.abnad.net  #[eTrust.Tracking.Cookie]  
127.0.0.1  d.abnad.net  
127.0.0.1  e.abnad.net  
127.0.0.1  t.abnad.net  
127.0.0.1  banners.absolpublisher.com  
127.0.0.1  tracking.absolstats.com
 
 
h.  If your HOSTS file has operational entries that direct to an IP address other than 127.0.0.1, then the file is contaminated and needs to be fixed.  To fix it:  
 
-  Make sure that the very first operational entry is  
 
127.0.0.1     localhost
 
-  Delete ALL operational entries that do not begin with 127.0.0.1  
 
-  Save the changed HOSTS file.  
 
-  Close NOTEPAD and Windows Explorer.  
 
-  If changes were made, reboot your computer.  
 
-  Test your browser to see if it now works properly.  
 
-  Please post back here stating whether you found the HOSTS file contaminated.
 
Continued instructions in my next post
« Last Edit: Jul 28th, 2008, 3:23am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #8 on: Jul 27th, 2008, 1:54am »		 Quote Quote  Modify Modify
Continued from my post above:
 
4.  Perform some cleanup via Hijackthis.
 
4a.  Run another Hijackthis scan
 
4b.  When the scan is completed, place a check mark in the box next to the following items.  BE SURE that these are the only items checked.
 
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
 
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
 
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
 
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
 
4c.  Click on Fix Checked located at the lower left corner of the HJT window.  Confirm that you want HJT to fix these items and let it fix them.  
 
4d.  Close Hijackthis and reboot your computer.
 
You should now be pretty well cleaned up after all of the above items are completed.  I recommend that you now DEFRAG your system to help improve performance.  
 
My next post will provide some recommendations to improve/enhance your overall system security.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #9 on: Jul 27th, 2008, 2:36am »		 Quote Quote  Modify Modify
In addition to my two posts above:
 
Recommendations:
 
Keep Microsoft Windows Up-to-date  
 
As you know, Microsoft issues hot fixes on the second Tuesday of every month.  Be sure to keep Windows and Microsoft Office updated through Windows Update.    
 
I see you are running Service Pack 2.  Service Pack 3 has been released for XP via the Windows Update site.  This is the last service pack release for XP.    
 
-  I recommend that you install this new Service Pack 3.  This will ensure that you have all the latest security fixes for XP.  Also, many XP users report performance/speed improvements after SP3 is installed.  
 
-  Prior to installing SP-3, be sure to disable all your security programs EXCEPT your software firewall.  Also close down as many programs as you can (icons next to the clock in your Task Bar).
 
Install SpywareBlaster  
 
SpywareBlaster is a freebie security program that protects you from over 10,000 malicious websites and malicious downloads from the web.  It uses no system resources because it sets Kill Bits in your registry that are then detected by Internet Explorer.  SpywareBlaster does not run continuously in memory.  All you do is download its updates and tell it to enable the Kill Bits.  
 
1.  Download/Install SpywareBlaster 4.1 from the link below.  
 
http://www.javacoolsoftware.com/spywareblaster.html  
 
2.  Once installed, run SpywareBlaster and select its Update feature.  
 
3.  When the updates are downloaded, click on "enable all protection".  This will set all the Kill Bits.  
 
4.  Then just close SpywareBlaster.  
 
-  New updates are released every 2-3 weeks, so run the Update every week or so to obtain new Kill Bits.  
 
-  The user forum for SpywareBlaster is at:  
 
http://www.wilderssecurity.com/forumdisplay.php?f=23
 
Install CCleaner  
 
CCleaner is a freebie program that cleans out temporary and junk files from your system.  It is not a "security program" per se; however, cleaning out temporary and junks files routinely improves system performance and aids in good security.  You can run CCleaner as frequently as you want....2-3 times per day is okay if you are doing a lot of work or surfing on your system.  
 
1.  Download/Install CCleaner 2.09.600 from the link below.  Download the SLIM installer (838 kbytes).  
 
http://www.ccleaner.com/download/builds.aspx
 
2.  Once installed, open CCleaner and run the Cleaner tool to clean out temporary and junk files.  
 
NOTE:  I do not recommend that you run the Registry tool unless you are experienced with cleaning out your system registry.    
 
-  The user forum for CCleaner is at  
 
http://forum.piriform.com/
 
Replace Adobe Reader with FoxItReader  
 
If you are only using Adobe Reader to read .PDF files that you occassionally encounter on the web, I recommend that you uninstall Adobe Reader and replace it with freebie FoxItReader.  You will save ~70 megabytes of disk space and gain a much improved response when opening .PDF files.    
 
1.  Go to Control Panel>Add and Remove Programs and uninstall Acrobat Adobe Reader.  
 
2.  Using Windows Explorer, locate and delete leftover Adobe folders from your C drive.  
 
3.  Go to the link below and download/install FoxitReader 2.3  
 
http://www.foxitsoftware.com/downloads/  
 
-  Download the file named Foxit Reader 2.3 (.exe) (2.5 mb)  
 
Here is a tip that may reclaim hundreds of megabytes of disk space for you.
 
1.  Go to the folder named Download which is located at C:\Windows\SoftwareDistribution\Download.    
 
-  The Download folder is used by Microsoft to store files that are downloaded when you update Windows via Windows Update.  This files are unnecessary once Windows Updates installs the hot fixes during the update.  
 
-  You can delete all the files that are in folder Download.  Do not delete the folder itself...just the files in the folder Download.    
 
2.  Every time a MS hotfix is installed via Windows Update, a restore directory for that specific hotfix is created so that you can remove the hotfix if something goes wrong.  Typically, a user rarely has a need or desire to remove a MS Windows Hotfix once it is installed.    
 
-  These are the blue directories that are shown at the top of all the various folders under C:\Windows.  They are typically named $NTUninstallKBxxxxxx$ (where xxxxxx = the hotfix KB number).  
 
-  Once you are satisfied that you have no need to uninstall a Windows Update hotfix(es), you can delete all these $NTUninstallKBxxxxxx$ directories.    
 
-  Typically I delete them after one(1) week following Windows Update Hotfix Tuesday each month.    
 
NOTE that if you upgrade to Service Pack 3, it may delete all the old hotfix directories during the upgrade.  The Service Pack 3 "hotfix" will create it's own blue directory so that you can uninstall Service Pack 3.  You can delete this directory after you are satisfied that you do not want to remove SP3.  If my memory is correct, the directory is named $NTUninstallServicePack .    
 
In addition to the above, I am sending you a forum Private Message concerning security changes/enhancements on your system
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #10 on: Sep 9th, 2008, 8:57pm »		 Quote Quote  Modify Modify
OK, I have to apologize - I have been a bit irresponsible.  An opportunity came up and I had to leave for about 6 weeks.  I was not able to complete your last set of instructions and while I was gone my computer was used by my family.  It appears to be back to the same condition, perhaps not as bad.
 
I did all of the same things again up through running ComboFix and a new HJT scan.  Things are significantly better but I can't help but think that things are not quite 100% yet.
 
Here is the ComboFix log:
ComboFix 08-09-05.12 - Michael Barr 2008-09-09 21:15:44.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2151 [GMT -4:00]
Running from: C:\Documents and Settings\Michael Barr\Desktop\ComboFix.exe
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\Michael Barr\Cookies\michael_barr@trafficmp[1].txt
C:\Documents and Settings\Michael Barr\Cookies\michael_barr@trafficmp[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@precisionclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
C:\WINDOWS\BMff500078.xml
 
.
(((((((((((((((((((((((((   Files Created from 2008-08-10 to 2008-09-10  )))))))))))))))))))))))))))))))
.
 
2008-09-06 17:43 . 2008-09-07 11:5154,156--ah-----C:\WINDOWS\QTFont.qfn
2008-09-06 17:43 . 2008-09-06 17:431,409--a------C:\WINDOWS\QTFont.for
2008-09-06 02:18 . 2008-09-06 02:180--a------C:\WINDOWS\system32\82aMLVBg.exe.a_a
2008-09-06 00:18 . 2008-09-07 12:2838,914--a------C:\WINDOWS\system32\82aMLVBg.exe
2008-09-06 00:06 . 2008-09-06 00:0529,824--a------C:\WINDOWS\system32\02Pg4EiT.exe
2008-09-06 00:06 . 2008-09-06 00:060--a------C:\WINDOWS\system32\02Pg4EiT.exe.a_a
2008-08-24 09:47 . 2008-05-01 10:33331,776-----c---C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-24 09:45 . 2008-04-11 15:04691,712-----c---C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-24 09:23 . 2008-08-24 09:23<DIR>d--------C:\WINDOWS\system32\scripting
2008-08-24 09:23 . 2008-08-24 09:23<DIR>d--------C:\WINDOWS\system32\en
2008-08-24 09:23 . 2008-08-24 09:23<DIR>d--------C:\WINDOWS\l2schemas
2008-08-18 20:57 . 2008-04-13 20:11650,752---------C:\WINDOWS\system32\dot3ui.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 01:11---------d-----wC:\Documents and Settings\All Users\Application Data\FRISK Software
2008-09-09 22:49---------d-----wC:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-07 18:48---------d-----wC:\Program Files\Finale 2003
2008-08-07 10:50---------d-----wC:\Program Files\Java
2008-07-31 23:5439,248----a-wC:\Documents and Settings\Michael Barr\Application Data\GDIPFONTCACHEV1.DAT
2008-07-26 23:37---------d-----wC:\Documents and Settings\Michael Barr\Application Data\CoreFTP
2008-07-26 13:48162,914----a-wC:\WINDOWS\system32\KG4ONJ.zip
2008-07-26 13:39162,848----a-wC:\WINDOWS\system32\wsfmxdmp.zip
2008-07-26 10:49---------d-----wC:\Documents and Settings\Michael Barr\Application Data\TrojanHunter
2008-07-25 22:22---------d-----wC:\Program Files\TrojanHunter 5.0
2008-07-25 21:56---------d-----wC:\Program Files\Trend Micro
2008-07-25 02:34---------d-----wC:\Documents and Settings\Michael Barr\Application Data\FRISK Software
2008-07-24 05:38---------d-----wC:\Program Files\Google
2008-07-24 02:39---------d-----wC:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-24 02:37---------d-----wC:\Program Files\Lavasoft
2008-07-24 02:37---------d-----wC:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 18:51---------d-----wC:\Documents and Settings\Michael Barr\Application Data\BitTorrent
2008-07-20 12:04---------d-----wC:\Documents and Settings\Michael Barr\Application Data\Sibelius Software
2008-07-20 12:03604---ha-wC:\Program Files\STLL Notifier
2008-07-20 12:03---------d-----wC:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-07-20 11:58---------d-----wC:\Program Files\Sibelius Software
2008-07-19 02:1094,920----a-wC:\WINDOWS\system32\cdm.dll
2008-07-19 02:1053,448----a-wC:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:1045,768----a-wC:\WINDOWS\system32\wups2.dll
2008-07-19 02:1036,552----a-wC:\WINDOWS\system32\wups.dll
2008-07-19 02:09563,912----a-wC:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09325,832----a-wC:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09205,000----a-wC:\WINDOWS\system32\wuweb.dll
2008-07-19 02:091,811,656----a-wC:\WINDOWS\system32\wuaueng.dll
2008-07-11 03:08---------d-----wC:\Documents and Settings\Michael Barr\Application Data\U3
2008-07-07 20:26253,952----a-wC:\WINDOWS\system32\es.dll
2008-06-24 16:4374,240----a-wC:\WINDOWS\system32\mscms.dll
2008-06-23 16:57826,368----a-wC:\WINDOWS\system32\wininet.dll
2008-06-20 17:46245,248----a-wC:\WINDOWS\system32\mswsock.dll
2008-04-25 18:325,817,064----a-wC:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SetDefaultMIDI"="MIDIDef.exe" [2005-05-24 C:\WINDOWS\MIDIDEF.EXE]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ 5000MUI.exe" [2007-04-03 753664]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-07-09 1056928]
"CTHelper"="CTHELPER.EXE" [2005-05-24 C:\WINDOWS\CTHELPER.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-02-02 49254]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-27 124400]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-01 692224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 83360]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\CAVEDOG\\TOTALA\\TotalA.exe"=
"C:\\Program Files\\DXport\\DXPort.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\TADemo\\SERVER.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\kav\\kav7\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
 
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2007-03-22 9728]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2005-06-14 45440]
S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys [2002-07-01 95232]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2004-01-29 44544]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 ousb2hub;OrangeWare USB 2.0 Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2005-06-14 56960]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e49a8b38-eebc-11dc-956b-00112fdd6d54}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Michael Barr\Application Data\Mozilla\Firefox\Profiles\l7ndjano.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.woot.com
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1202.1501\npCIDetect11.dll
.
 
************************************************************************ **
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 21:41:40
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
************************************************************************ **
.
Completion time: 2008-09-09 21:43:03
ComboFix-quarantined-files.txt  2008-09-10 01:42:28
 
Pre-Run: 41,666,646,016 bytes free
Post-Run: 43,553,865,728 bytes free
 
152--- E O F ---2008-08-25 07:01:05
IP Logged
KG4ONJ
Newbie
*





   


Posts: 9
Re: Virtumonde Eldorado Trojan - Help with removal
« Reply #11 on: Sep 9th, 2008, 8:58pm »		 Quote Quote  Modify Modify
And the HJT log:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:21 PM, on 9/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/os