Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with Troj/Virtum-Gen and Troj/Dialer-FI [CLOSED]

Started by Amaranth , Jul 11 2008 04:07 PM

  • This topic is locked This topic is locked

#1
Amaranth
Posted 11 July 2008 - 04:07 PM

Amaranth

    New Member

  • Member
  • Pip
  • 1 posts
Hello-

My system is currently infected with 2 trojans:

Troj/Virtum-Gen and Troj/Dialer-FI

I don't know why I pay for Spysweeper with Antivirus, because this is the third time it has let Virtum-Gen onto my system. Most programs I have already run in safe mode, and they can detect the trojans, but always fail to quarantine or clean. I have already tried removal via Spysweeper, Super Anti-Spyware, Malaware Bytes' Anti-Malaware, VundoFix, and VirtumundoBeGone. I have even reinstalled and repaired Windows. This sucker is staying put! Please help! I have been trying to get this thing off for days!

I use Windows XP. I am posting a Hijack this log and I did the Panda scan, which I will include also.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:58 PM, on 7/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SPAMfighter\sfus.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WTablet\TabUserW.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-21-646250916-2034156450-1576919974-1003\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" (User '?')
O4 - HKUS\S-1-5-21-646250916-2034156450-1576919974-1003\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O15 - Trusted IP range: 213.159.118.226
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} (LogMeIn Rescue Applet Downloader) - https://secure.logme...eDownloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188133303421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188133288734
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - http://bis.na.blackb...ls/TOImport.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINNT\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINNT\system32\netdde.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--



Panda Active Scan Log:


MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_local_machine\software\microsoft\internet explorer\window restrictions\iexplore.exe
00024343 adware/keenvalue Adware No 0 Yes No c:\winnt\browserxtras\pn\remove.exe
00029258 application/altnet HackTools No 0 Yes No c:\winnt\smdat32a.sys
00041446 application/myway HackTools No 0 Yes No hkey_classes_root\clsid\{66fc8717-efa7-4546-8c4a-e224f3a80c76}
00041446 application/myway HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
00041446 application/myway HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
00048301 Adware/KeenValue Adware No 0 Yes No C:\WINNT\browserxtras\pn\remove.exe
00132447 adware program Adware No 0 Yes No c:\winnt\system32\data.~
00139535 Application/Processor HackTools No 0 Yes No C:\WINNT\system32\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\HijackTHIS\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00211158 application/bestoffer HackTools No 0 Yes No c:\winnt\smdat32m.sys
00244915 Adware/KeenValue Adware No 0 No No C:\WINNT\browserxtras\pn\remove.exe[PerfectNavUninstall.exe]
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe
02634745 Application/Playmp3z HackTools No 0 Yes No C:\Documents and Settings\Owner\Shared\beethovens last night.zip[Setup.exe]
03073168 Dialer.LER Dialers No 0 Yes No C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.28211
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location jXs5
;===============================================================================
=================================================================================
===================
No C:\WINNT\browserxtras\pn\remove.exe[PerfectNavUninstall.exe][updmgrUninstall.exe] jXs5
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description jXs5
;===============================================================================
=================================================================================
===================
133387 MEDIUM MS06-065 jXs5
133386 MEDIUM MS06-064 jXs5
133385 MEDIUM MS06-063 jXs5
133379 HIGH MS06-057 jXs5
131654 HIGH MS06-055 jXs5
129977 MEDIUM MS06-053 jXs5
129976 MEDIUM MS06-052 jXs5
126093 HIGH MS06-051 jXs5
126092 MEDIUM MS06-050 jXs5
126087 HIGH MS06-046 jXs5
126086 MEDIUM MS06-045 jXs5
126083 HIGH MS06-042 jXs5
126082 HIGH MS06-041 jXs5
126081 HIGH MS06-040 jXs5
123421 HIGH MS06-036 jXs5
123420 HIGH MS06-035 jXs5
120825 MEDIUM MS06-032 jXs5
120823 MEDIUM MS06-030 jXs5
120818 HIGH MS06-025 jXs5
120815 HIGH MS06-022 jXs5
120814 HIGH MS06-021 jXs5
117384 MEDIUM MS06-018 jXs5
114666 HIGH MS06-015 jXs5
114664 HIGH MS06-013 jXs5
111790 MEDIUM MS06-011 jXs5
108744 MEDIUM MS06-008 jXs5
108743 MEDIUM MS06-007 jXs5
108742 MEDIUM MS06-006 jXs5
104567 HIGH MS06-002 jXs5
104237 HIGH MS06-001 jXs5
101055 HIGH MS05-054 jXs5
96574 HIGH MS05-053 jXs5
93396 HIGH MS05-052 jXs5
93395 HIGH MS05-051 jXs5
93394 HIGH MS05-050 jXs5
93454 MEDIUM MS05-049 jXs5

Edited by Amaranth, 11 July 2008 - 04:12 PM.

  • 0

Advertisements

#2
Mike
Posted 12 July 2008 - 11:42 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi,

I notice you have no Anti-Virus program installed on your computer. These programs are necessary in keeping your computer free of malware, without it you are very likely to get re-infected within a very short period of time and we would be wasting our time. Please download the following:

AntiVir

Update it and run a full scan.

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

And,

Please download Runscanner to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here. If the forum doesn't let you upload it then please zip the .run file by right clicking and selecting send to Zip file.

To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on Posted Image to insert the attachment into your post

Edited by Mike, 12 July 2008 - 11:43 AM.

  • 0

#3
Mike
Posted 16 July 2008 - 03:55 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP