Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: HELP!!! vundo/zlob/smitfraud trojan on my PC!

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    3

    Unhappy HELP!!! vundo/zlob/smitfraud trojan on my PC!

    Hello, I've tried similar solutinons but they all seem to fail. I've tried SmitfraudFix, VundoFix and others, but none of them seem to work for me.

    I get popups and certain sites do not open (while they should).


    Please help me exterminate this NASTY virus.

    Here's my HJT log-


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:49:07, on 6/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\LANDesk\Shared Files\residentagent.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\WINDOWS\system32\CBA\pds.exe
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\PROGRA~1\LANDesk\LDClient\collector.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\LANDesk\LDClient\softmon.exe
    C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
    C:\Program Files\My Lockbox\flockbox.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\AvaFind\AvaFind.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
    C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    D:\sudasoft\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by (NSS)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.0.160:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://nlt-deploy;https://******;https://******;<local>
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
    O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [AvaFind] "C:\Program Files\AvaFind\AvaFind.exe" /minimized
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9563.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ****
    O17 - HKLM\Software\..\Telephony: DomainName = ****.COM
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ****
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ****
    O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
    O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

    --
    End of file - 7894 bytes
    Last edited by googlistics; June 26th, 2008 at 09:05 AM.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    If it's a virus, do you do your virus scan in safe mode? If not, try that. Make sure you have up-to-date virus signatures. Also, you may want to try going to http://housecall.trendmicro.com in safe-mode with networking and let it scan your system. A quick glance at your hijack log and it looks ok.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    319
    The only thing that looks troubling is :
    O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s

    You should remove that entry from the registry ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run") and see what happens.

  4. #4
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\MsgSys.EXE
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Single Signon] C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe
    O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    That's about all i can visually pick out, a few of them are reeaal nasty SOB's, and even harder to remove and keep 'em gone.

    I would strongly suggest that you just back up any important files and do a format and re-install.

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    319
    t34 : Except for the one I mentioned, those are all valid programs. Some Google research would help.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by delstar
    t34 : Except for the one I mentioned, those are all valid programs. Some Google research would help.
    I agree.

    Those igfx* executables are for intel graphicscards. The hkcmd is the windows hotkey functionality. Msgsys is part of LANDesk.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I know this is posted in a variety of other threads but I feel that it is useful to add to any thread of this nature.

    Googleing might seem like a rather daunting task. This tool will check your log and indicate what is generally considered "safe" and what needs looking into or just getting rid of (known baddies).

    Beware. Some items might trip a warning because of where they are located. This can happen legitimately with a new release of the software, so check to see if you have an instance in the location they suggest as well.

    http://www.hijackthis.de/

    Googling or Googleing? don't know which you prefer but it seems like I have just invented a new word.

    As a second string to your investigation might I recommend that you submit suspicious files here:

    http://www.virustotal.com/



    @ SirDice and delstar, do you mean this:

    http://www.****inggoogleit.com/

    It is OK for work: nothing rude on the site itself

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by nihil
    @ SirDice and delstar, do you mean this:

    http://www.****inggoogleit.com/
    To be honest the only one I didn't recognize was the Msgsys thingy.. And yes I googled it
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    The only thing that looks troubling is :
    O4 - HKLM\..\Run: [BMeb3ddf2f] Rundll32.exe "C:\WINDOWS\system32\iinokuco.dll",s
    I'm with Delstar on this one as well. Actually, I was fairly dizzied by the fact that you say you have a virus your machine but, outside of a single oddly named library called iinokuco, all seemed fine. So I googled iinokuco and, surprise, surprise, no luck (except the link to this very thread). Then I was reminded of a doozy my sister got on her machine.

    It was called Virtumonde. The little s.o.b that keeps changing the .dll with random file names so you can never quite find the offending .dll being called by Rundll.exe. It seems to me you're infected with some kind of adware with polymorphing file naming capabilities. You might want to run a couple antispyware programs & see what they find/clean.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Junior Member
    Join Date
    Jun 2008
    Posts
    1
    Try to use nod32 antivirus because is more easy to customize than mcafee and make a very good job. Also, search Avira Antivirus on Google - is very good and fast (i have it at work)

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Reverse-Engineering the First Pocket PC Trojan, Part 1
    By MrLinus in forum AntiVirus Discussions
    Replies: 1
    Last Post: October 12th, 2004, 05:26 AM
  4. My firewall block this attempt.. but need info
    By LordChaos in forum Firewall & Honeypot Discussions
    Replies: 19
    Last Post: October 4th, 2002, 11:58 AM
  5. A new Trojan for *Nix...
    By [WebCarnage] in forum Security Archives
    Replies: 0
    Last Post: January 10th, 2002, 09:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •