virtumonde (ugh) [Archive]

audric91

10-01-2008, 02:06 AM

well.. heh... i was trying to get a keygen cuz im a sneaky asian that doesnt like paying for things...

and yeh.. i remember my spybot resident popping up when i tried running the program. i've deleted most suspicious files, but its still going...

thats exactly what i dont want... i'd hate to delete everything... even if i backed up some stuff, it'd be a pain to get everything back

i got a log of spyware doctor which i got from hijackthis but i think the file shuld be in this post

i shall post a malwarebytes log soon

edit:

i have to manually post a list of the results as i dont know where to find the logs on the spyware doctor/hijackthis

PC Tools Spyware Doctor
Date Status
1/10/2008 2:45:34 PM:500 Service Started
Spyware Doctor Service Application started
1/10/2008 2:45:34 PM:500 Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
1/10/2008 2:45:35 PM:656 Anti-Malware Engine
Anti-Malware detection engine was disabled
1/10/2008 2:46:22 PM:93 IntelliGuards status
All IntelliGuards were Enabled
1/10/2008 2:47:17 PM:78 Immunizer Results
ActiveX section has been immunized, Processed 3156 items.
1/10/2008 2:47:58 PM:968 Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
1/10/2008 2:48:03 PM:171 Immunizer Results
ActiveX section has been immunized. No items were processed.
1/10/2008 2:48:15 PM:375 Scan Started
Scan Type - Intelli-Scan

1/10/2008 2:50:06 PM:484 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 0
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0

1/10/2008 2:50:39 PM:437 Service Stopped
Spyware Doctor Service Application Stopped
1/10/2008 2:53:06 PM:0 Service Started
Spyware Doctor Service Application started
1/10/2008 2:53:06 PM:15 Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
1/10/2008 2:53:06 PM:203 IntelliGuards status
All IntelliGuards were Enabled
1/10/2008 2:53:19 PM:796 Immunizer Results
ActiveX section has been immunized, Processed 6 items.
1/10/2008 2:53:43 PM:62 Scan Started
Scan Type - Intelli-Scan

1/10/2008 2:54:22 PM:250 Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - campaigns.empoweredcomms.com.au/ campaigns.empoweredcomms.com.au

1/10/2008 2:54:22 PM:390 Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - overture.com/ overture.com

1/10/2008 2:54:25 PM:140 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Module
Risk Level - Medium
Infection - Explorer.EXE (C:\WINDOWS\system32\hgGvuSli.dll)

1/10/2008 2:55:05 PM:437 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\system32\hgGvuSli.dll

1/10/2008 2:55:05 PM:453 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Registry Key
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B8D1FA7-6176-42FB-99D8-480BE851A8C0}

1/10/2008 2:55:10 PM:765 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Internet Temporary File
Risk Level - Medium
Infection - C:\Documents and Settings\Jeremiah\Local Settings\Temporary Internet Files\Content.IE5\GL4LBQZ4\cntr[1] - http://89.18.189.165/img/cntr.dll?sid=83545F5A4F080F0F000D54585F5D515D5C4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495 A4F0A000D545C5D2C512B28582A502A58595D5D512F502D2A2C5D5E5D28285D2D50585D5A5F4F081D545E2D2C2C5E502B285 12D5D5A58582D2D50582C2A585F5D515D5C2A2F2F2F2F2F4F1E1D545F5F5B580B0A5B5F59584F0B0054585E5C4F04061B190 1000D54001B185D4F1B0C1F000D54505A5E5169EA01

1/10/2008 2:55:10 PM:921 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Internet Temporary File
Risk Level - Medium
Infection - C:\Documents and Settings\Jeremiah\Local Settings\Temporary Internet Files\Content.IE5\GL4LBQZ4\cntr[2] - http://89.18.189.165/img/cntr.dll?sid=60545F5A4F080F0F000D54585F5D515D5C4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495 A4F0A000D545C5D2C512B28582A502A58595D5D512F502D2A2C5D5E5D28285D2D50585D5A5F4F081D545E2D2C2C5E502B285 12D5D5A58582D2D50582C2A585F5D515D5C2A2F2F2F2F2F4F1E1D545C580F5A0B0A5B5F59584F0B0054585E5C4F04061B190 1000D54001B185D4F1B0C1F000D54505A5E51690901

1/10/2008 2:55:11 PM:15 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Internet Temporary File
Risk Level - Medium
Infection - C:\Documents and Settings\Jeremiah\Local Settings\Temporary Internet Files\Content.IE5\7C0VAF57\cntr[1] - http://89.18.189.165/img/cntr.dll?sid=20545F5A4F080F0F000D54585F5D515D5C4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495 A4F0A000D545C5D2C512B28582A502A58595D5D512F502D2A2C5D5E5D28285D2D50585D5A5F4F081D545E2D2C2C5E502B285 12D5D5A58582D2D50582C2A585F5D515D5C2A2F2F2F2F2F4F1E1D540A5B5C510B0F5B5F59584F0B0054585E5C4F04061B190 1000D54001B185D4F1B0C1F000D54505A5E51694901

1/10/2008 2:55:11 PM:46 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Internet Temporary File
Risk Level - Medium
Infection - C:\Documents and Settings\Jeremiah\Local Settings\Temporary Internet Files\Content.IE5\7C0VAF57\cntr[2] - http://89.18.189.165/img/cntr.dll?sid=CF545F5A4F080F0F000D54585F5D515D5C4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495 A4F0A000D545C5D2C512B28582A502A58595D5D512F502D2A2C5D5E5D28285D2D50585D5A5F4F081D545E2D2C2C5E502B285 12D5D5A58582D2D50582C2A585F5D515D5C2A2F2F2F2F2F4F1E1D5451510B5E0B0F5B5F59584F0B0054585E5C4F04061B190 1000D54001B185D4F1B0C1F000D54505A5E5169A601

1/10/2008 2:55:30 PM:609 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan, RID

1/10/2008 2:55:30 PM:609 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan

1/10/2008 2:55:30 PM:625 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System, Uid

1/10/2008 2:55:30 PM:625 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System, (Default)

1/10/2008 2:55:30 PM:625 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System, Shows

1/10/2008 2:55:30 PM:625 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System, Uqs

1/10/2008 2:55:30 PM:625 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

1/10/2008 3:02:57 PM:906 Infection was detected on this computer
Threat Name - Backdoor.MoSucker
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, admin

1/10/2008 3:32:11 PM:218 Infection was detected on this computer
Threat Name - Backdoor.Agent.CFC
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Explorer, WINID

1/10/2008 3:32:13 PM:609 Infection was detected on this computer
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Desktop, host

1/10/2008 3:32:13 PM:609 Infection was detected on this computer
Threat Name - Adware.Component.Unrelated
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Desktop, id

1/10/2008 3:35:56 PM:937 Infection was detected on this computer
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Desktop, host

1/10/2008 3:35:56 PM:937 Infection was detected on this computer
Threat Name - Trojan-Proxy.Small.DU
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Desktop, id

1/10/2008 3:36:04 PM:671 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore, Type

1/10/2008 3:36:04 PM:687 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore, Flags

1/10/2008 3:36:04 PM:687 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore, Count

1/10/2008 3:36:04 PM:687 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore, Time

1/10/2008 3:36:04 PM:687 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore, Blocked

1/10/2008 3:36:04 PM:703 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore

1/10/2008 3:36:04 PM:703 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareNo
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}

1/10/2008 3:36:29 PM:93 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - File
Risk Level - High
Infection - c:\windows\system32\nts.dll

1/10/2008 3:36:29 PM:93 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs, C:\WINDOWS\system32\nts.dll = 1

1/10/2008 3:36:29 PM:109 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - Module
Risk Level - High
Infection - VPTray.exe (C:\WINDOWS\system32\nts.dll)

1/10/2008 3:36:32 PM:265 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - Module
Risk Level - High
Infection - Rtvscan.exe (C:\WINDOWS\system32\NTS.dll)

1/10/2008 3:36:43 PM:734 Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Value
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-2004011164-1013524446-3294846723-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr

1/10/2008 3:36:47 PM:796 Infection was detected on this computer
Threat Name - Application.Perfect_Keylogger
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, admin = C:\Program Files\BPK\admin.exe

1/10/2008 3:36:48 PM:921 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - File
Risk Level - Medium
Infection - c:\windows\system32\ddcbsleu.DLL

1/10/2008 3:36:48 PM:921 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, Authentication Packages = C:\WINDOWS\system32\ddcBSLEU

1/10/2008 3:36:48 PM:921 Infection was detected on this computer
Threat Name - Trojan.Mondera
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa, Authentication Packages = C:\WINDOWS\system32\ddcBSLEU

1/10/2008 3:37:24 PM:796 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs, C:\Program Files\Common Files\Symantec Shared\SNDunin.dll = 1

1/10/2008 3:37:24 PM:796 Infection was detected on this computer
Threat Name - Backdoor.IRC.Flood
Type - File
Risk Level - High
Infection - c:\program files\common files\symantec shared\sndunin.dll

1/10/2008 3:38:12 PM:359 Scan Finished
Scan Type - Intelli-Scan
Items Processed - 200964
Threats Detected - 12
Infections Detected - 40
Infections Ignored - 0

and thats the hijackthis log i think