Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde

Unread postby HelpMeMrWizard » November 17th, 2007, 9:17 pm

I acquired a computer from a friend, it seems to have Virtumonde. Below is the Ad-Aware log (from the second run), after which is a HiJackThis log:

Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, November 17, 2007 6:43:28 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R202 12.11.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
Tracking Cookie(TAC index:3):8 total references
Virtumonde(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-17-2007 6:43:28 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Me\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-527237240-1682526488-1708537768-1002\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-527237240-1682526488-1708537768-1002\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-527237240-1682526488-1708537768-1002\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-527237240-1682526488-1708537768-1002\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 11-17-2007 11:38:43 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 168
ThreadCreationTime : 11-17-2007 11:38:49 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 164
ThreadCreationTime : 11-17-2007 11:38:50 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 11-17-2007 11:38:52 PM
BasePriority : Normal
FileVersion : 5.00.2195.7035
ProductVersion : 5.00.2195.7035
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 228
ThreadCreationTime : 11-17-2007 11:38:52 PM
BasePriority : Normal
FileVersion : 5.00.2195.7011
ProductVersion : 5.00.2195.7011
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 400
ThreadCreationTime : 11-17-2007 11:38:57 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 428
ThreadCreationTime : 11-17-2007 11:38:57 PM
BasePriority : Normal
FileVersion : 5.00.2195.7059
ProductVersion : 5.00.2195.7059
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:8 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 480
ThreadCreationTime : 11-17-2007 11:39:05 PM
BasePriority : Normal
FileVersion : 6.0.1.696
ProductVersion : 6.0.1.696
ProductName : AVG6
CompanyName : GRISOFT s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
LegalCopyright : Copyright (c) GRISOFT 1998-2004
OriginalFilename : AvgServ

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 500
ThreadCreationTime : 11-17-2007 11:39:05 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:10 [regsvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 552
ThreadCreationTime : 11-17-2007 11:39:09 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:11 [winmgmt.exe]
FilePath : C:\WINDOWS\System32\WBEM\
ProcessID : 584
ThreadCreationTime : 11-17-2007 11:39:13 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:12 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 640
ThreadCreationTime : 11-17-2007 11:39:14 PM
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 11-17-2007 11:39:14 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 896
ThreadCreationTime : 11-17-2007 11:39:50 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:15 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 1140
ThreadCreationTime : 11-17-2007 11:40:39 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
LegalCopyright : Copyright © 2003 GRISOFT s.r.o.
OriginalFilename : AvgCC32.EXE

#:16 [msbntray.exe]
FilePath : C:\Program Files\Microsoft Broadband Networking\
ProcessID : 1168
ThreadCreationTime : 11-17-2007 11:40:44 PM
BasePriority : Normal
FileVersion : 2.0.598
ProductVersion : 2.0.598
ProductName : Microsoft Broadband Networking Software
CompanyName : Microsoft Corporation
FileDescription : Microsoft Broadband Networking Tray Application
InternalName : MSBNTray.exe
LegalCopyright : Copyright © 1995-2002 Microsoft Corporation
OriginalFilename : MSBNTray.exe

#:17 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1172
ThreadCreationTime : 11-17-2007 11:40:44 PM
BasePriority : Normal


#:18 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 972
ThreadCreationTime : 11-17-2007 11:41:25 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6d33b121-5c4c-4450-9d1f-7b67085cc199}

Virtumonde Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6d33b121-5c4c-4450-9d1f-7b67085cc199}
Value : AppID

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 8


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d33b121-5c4c-4450-9d1f-7b67085cc199}


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : me@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:me@atdmt.com/
Expires : 11-14-2012 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 10



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@mrskin[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@mrskin[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@freeze[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@freeze[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@com[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@com[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@partygaming.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@partygaming.122.2o7[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@partypoker[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@partypoker[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@stats1.reliablestats[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@stats1.reliablestats[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : statehopper@ad.yieldmanager[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Statehopper\Cookies\statehopper@ad.yieldmanager[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 17




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

6:53:01 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:32.283
Objects scanned:93284
Objects identified:11
Objects ignored:0
New critical objects:11

================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:55 PM, on 11/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\TEMP\pft51A1~TMP\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {10334F81-CA09-401E-81B8-36832487407d} - C:\WINDOWS\system32\redvkeit.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\System32\mljhf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5301654002
O20 - Winlogon Notify: mljhf - C:\WINDOWS\System32\mljhf.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

--
End of file - 3160 bytes
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm
Advertisement
Register to Remove

Re: Virtumonde

Unread postby random/random » November 18th, 2007, 11:57 am

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Virtumonde

Unread postby HelpMeMrWizard » November 18th, 2007, 5:15 pm

Thanks for the help. Here's the logs:
==========
ComboFix 07-11-08.1 - Me 11/18/2007 15:19:09.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.386 [GMT -5:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\USYP_0001_N69M1703NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWAS7_0001_N99M3108NetInstaller.exe
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\fhjlm.bak1
C:\WINDOWS\SYSTEM32\fhjlm.bak2
C:\WINDOWS\SYSTEM32\fhjlm.ini
C:\WINDOWS\SYSTEM32\fhjlm.ini2
C:\WINDOWS\SYSTEM32\fhjlm.tmp
C:\WINDOWS\system32\fmfblbib.dll
C:\WINDOWS\system32\nowtggbh.dll
C:\WINDOWS\system32\qlskfbyv.dll
C:\WINDOWS\system32\redvkeit.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 15:24 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_248.dat
2007-11-18 15:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 15:13 71,188 --a------ C:\WINDOWS\SYSTEM32\ubgxludh.exe
2007-11-17 18:40 71,188 --a------ C:\WINDOWS\SYSTEM32\mrpbitds.exe
2007-11-17 16:08 <DIR> d-------- C:\WINDOWS\Profiles\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 15:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\Windows Media
2007-11-17 15:40 <DIR> d-------- C:\WINDOWS\msiinst.tmp
2007-11-17 15:40 <DIR> d--h----- C:\WINDOWS\$NtUpdateRollupPackUninstall$
2007-11-17 15:33 <DIR> d--h----- C:\WINDOWS\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2007-11-17 15:26 <DIR> d-------- C:\WINDOWS\mui
2007-11-17 15:11 92,032 --------- C:\WINDOWS\SYSTEM32\dllcache\KRNL386.EXE
2007-11-17 15:11 90,384 --------- C:\WINDOWS\SYSTEM32\dllcache\cryptdlg.dll
2007-11-17 15:11 44,032 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3r.dll
2007-11-17 14:58 2,174,976 --------- C:\WINDOWS\SYSTEM32\dllcache\wmvcore.dll
2007-11-17 14:54 840,976 --------- C:\WINDOWS\SYSTEM32\dllcache\mmcndmgr.dll
2007-11-17 14:46 86,288 --------- C:\WINDOWS\SYSTEM32\dllcache\srvsvc.dll
2007-11-17 07:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\BITS
2007-11-17 07:39 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-11-17 07:39 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-11-17 07:39 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-11-17 07:39 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-11-17 07:36 <DIR> d-------- C:\WINDOWS\ime
2007-11-17 07:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\ie_de
2007-11-17 07:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\CertSrv
2007-11-17 07:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-17 07:25 3,856 --------- C:\WINDOWS\SYSTEM32\SVCPACK1.DLL
2007-11-16 22:01 <DIR> d-------- C:\Program Files\Three Rings Design
2007-11-16 21:37 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-19 22:55 93,184 ----a-w C:\WINDOWS\SYSTEM32\dllcache\OEIMPORT.DLL
2007-08-19 22:55 91,136 ----a-w C:\WINDOWS\SYSTEM32\MSOERT2.DLL
2007-08-19 22:55 91,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSOERT2.DLL
2007-08-19 22:55 77,824 ----a-w C:\WINDOWS\SYSTEM32\dllcache\WABIMP.DLL
2007-08-19 22:55 75,776 ----a-w C:\WINDOWS\SYSTEM32\dllcache\DIRECTDB.DLL
2007-08-19 22:55 596,992 ----a-w C:\WINDOWS\SYSTEM32\INETCOMM.DLL
2007-08-19 22:55 596,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\INETCOMM.DLL
2007-08-19 22:55 56,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSIMN.EXE
2007-08-19 22:55 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\OEMIG50.EXE
2007-08-19 22:55 47,616 ----a-w C:\WINDOWS\SYSTEM32\INETRES.DLL
2007-08-19 22:55 47,616 ----a-w C:\WINDOWS\SYSTEM32\dllcache\INETRES.DLL
2007-08-19 22:55 465,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\WAB32.DLL
2007-08-19 22:55 42,496 ----a-w C:\WINDOWS\SYSTEM32\dllcache\WAB.EXE
2007-08-19 22:55 31,744 ----a-w C:\WINDOWS\SYSTEM32\dllcache\OEMIGLIB.DLL
2007-08-19 22:55 30,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\WABFIND.DLL
2007-08-19 22:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\dllcache\WABMIG.EXE
2007-08-19 22:55 229,376 ----a-w C:\WINDOWS\SYSTEM32\MSOEACCT.DLL
2007-08-19 22:55 229,376 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSOEACCT.DLL
2007-08-19 22:55 2,479,616 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSOERES.DLL
2007-08-19 22:55 1,176,064 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSOE.DLL
2007-08-19 22:52 44,032 ----a-w C:\WINDOWS\SYSTEM32\MSIDENT.DLL
2007-08-19 22:52 44,032 ----a-w C:\WINDOWS\SYSTEM32\dllcache\MSIDENT.DLL
2004-05-14 22:53 305 ---h--w C:\Program Files\desktop.ini
2004-05-14 22:48 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 17:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
1997-04-06 03:02:12 38,925 --sh--w C:\WINDOWS\SYSTEM32\pmnkl.dll
1997-04-06 03:05:02 38,925 --sh--w C:\WINDOWS\SYSTEM32\awvst.dll
1997-04-06 21:29:52 577,588 --sh--w C:\WINDOWS\SYSTEM32\mljhf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D33B121-5C4C-4450-9D1F-7B67085CC199}]
97-04-06 16:29 577588 ---hs---- C:\WINDOWS\System32\mljhf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [99-12-07 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINDOWS\SYSTEM32\mobsync.exe]
"AVG_CC"="C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe" [04-05-18 06:00 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{2C84BB95-1DB9-4AC4-8750-F979BBCDD859}\_18be6784.exe [1997-01-02 01:52:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhf]
C:\WINDOWS\System32\mljhf.dll 97-04-06 16:29 577588 C:\WINDOWS\SYSTEM32\mljhf.dll

R2 AvgCore;AVG6 Kernel;\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
R2 AvgFsh;AVG6 Rezident Driver;\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
R2 AvgServ;AVG6 Service;C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys
R3 i740;i740;C:\WINDOWS\system32\DRIVERS\i740nt5.sys
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\lne100v5.sys
S3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\mn720-50.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys

.
Contents of the 'Scheduled Tasks' folder
"2005-12-04 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2003-01-05 20:50:44 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2003-01-05 20:50:44 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 15:25:27
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 15:27:21 - machine was rebooted
.
--- E O F ---Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:06 PM, on 11/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\TEMP\pft51A1~TMP\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\System32\mljhf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ylopunoh.dll",forkonce
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5301654002
O20 - Winlogon Notify: mljhf - C:\WINDOWS\System32\mljhf.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

--
End of file - 3108 bytes
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm

Re: Virtumonde

Unread postby random/random » November 18th, 2007, 5:17 pm

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Virtumonde

Unread postby HelpMeMrWizard » November 18th, 2007, 6:19 pm

Done, is it normal for it to say it can't import the vondofix.reg (that may not be the exact name, sorry I failed to write it down)

Anyway, here's the logs:


VundoFix V6.6.2

Checking Java version...

Sun Java not detected
Scan started at 3:46:22 PM 11/18/2007

Listing files found while scanning....

C:\windows\SYSTEM32\brdcaavv.dll
C:\WINDOWS\System32\fhjlm.ini
C:\windows\SYSTEM32\honupoly.ini
C:\WINDOWS\System32\mljhf.dll
C:\WINDOWS\system32\ylopunoh.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\brdcaavv.dll
C:\windows\SYSTEM32\brdcaavv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\fhjlm.ini
C:\WINDOWS\System32\fhjlm.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\honupoly.ini
C:\windows\SYSTEM32\honupoly.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\mljhf.dll
C:\WINDOWS\System32\mljhf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ylopunoh.dll
C:\WINDOWS\system32\ylopunoh.dll Has been deleted!

Performing Repairs to the registry.
Done!
============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:40 PM, on 11/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\TEMP\pft51A1~TMP\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5301654002
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

--
End of file - 2851 bytes
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm

Re: Virtumonde

Unread postby random/random » November 19th, 2007, 2:31 pm

Done, is it normal for it to say it can't import the vondofix.reg (that may not be the exact name, sorry I failed to write it down)


It's not normal, but it seems to have worked, so that's OK

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WINDOWS\TEMP\pft51A1~TMP\Reader\ActiveX\AcroIEHelper.ocx (file missing)

Then close all windows except HijackThis and click Fix Checked

Use windows explorer to find and delete these files:

C:\WINDOWS\SYSTEM32\ubgxludh.exe
C:\WINDOWS\SYSTEM32\mrpbitds.exe
C:\WINDOWS\SYSTEM32\pmnkl.dll
C:\WINDOWS\SYSTEM32\awvst.dll

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Virtumonde

Unread postby HelpMeMrWizard » November 19th, 2007, 4:56 pm

I missed the 2 DLLs, they were hidden. I went back a second time and got them.

==============

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2670 (20071119)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3fa6d52926f063478ac6d29c6496315d
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-19 07:50:56
# local_time=2007-11-19 02:50:56 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=87645
# found=16
# scan_time=1455
C:\WINDOWS\SYSTEM32\gyldknna.dll probably a variant of Win32/Adware.BHO.V application C45DF70F4FBAFE5DFACBB0F847330F4E
C:\WINDOWS\SYSTEM32\pmnkl.dll Win32/TrojanDownloader.ConHook trojan F5FE6E31E9AB56B848EAE0F033591AE2
C:\WINDOWS\SYSTEM32\awvst.dll Win32/TrojanDownloader.ConHook trojan F5FE6E31E9AB56B848EAE0F033591AE2
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe Win32/Adware.WinFixer application 50E49B3ECAEC7E93BA38D72D6BF8DCE7
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe Win32/Adware.WinFixer application 50E49B3ECAEC7E93BA38D72D6BF8DCE7
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N69M1703NetInstaller.exe Win32/Adware.WinFixer application 50E49B3ECAEC7E93BA38D72D6BF8DCE7
C:\Program Files\Common Files\SysProtect\PCheck.dll Win32/Adware.SysProtect application 7A9CA26D6428808BA8C715454D0EA5F2
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\USYP_0001_N69M1703NetInstaller.exe.vir Win32/Adware.WinFixer application 50E49B3ECAEC7E93BA38D72D6BF8DCE7
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UWAS7_0001_N99M3108NetInstaller.exe.vir Win32/Adware.WinFixer application C84F51827B483FA0BD9D5ED8586B3C26
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\fmfblbib.dll.vir Win32/BHO.G trojan C0A83475611501146D0AFE4C6560D326
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\nowtggbh.dll.vir probably a variant of Win32/Adware.BHO.V application C45DF70F4FBAFE5DFACBB0F847330F4E
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\qlskfbyv.dll.vir Win32/Adware.Virtumonde application 0D35FC05B1149FFB55748A097888C225
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\redvkeit.dll.vir probably a variant of Win32/Adware.BHO.V application C45DF70F4FBAFE5DFACBB0F847330F4E
C:\VundoFix Backups\brdcaavv.dll.bad Win32/BHO.G trojan C0A83475611501146D0AFE4C6560D326
C:\VundoFix Backups\mljhf.dll.bad a variant of Win32/Adware.Virtumonde.O application 4A483004969CF756FC9FF41BC1B7E796
C:\VundoFix Backups\ylopunoh.dll.bad Win32/Adware.Virtumonde application 0D35FC05B1149FFB55748A097888C225
===============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:28 PM, on 11/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5301654002
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

--
End of file - 2909 bytes
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm

Re: Virtumonde

Unread postby random/random » November 19th, 2007, 5:49 pm

AVG6 is extremely outdated, please uninstall it and install the latest version of AVG:
http://free.grisoft.com/doc/5390/us/frt/0?prd=aff

  • Download OTMoveIt by OldTimer from here
  • Double click on OTMoveIt to start OTMoveIt
    Image
  • Untick the option to Unregister Dll's and Ocx's (1)
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
    Code: Select all
    C:\WINDOWS\SYSTEM32\gyldknna.dll
    C:\WINDOWS\SYSTEM32\pmnkl.dll
    C:\WINDOWS\SYSTEM32\awvst.dll
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N69M1703NetInstaller.exe
    C:\Program Files\Common Files\SysProtect
    
  • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
  • Click Paste (2)
  • Click MoveIt! (3)
  • Copy and paste the contents of the results box (4) as a reply to this topic, along with anew HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Virtumonde

Unread postby HelpMeMrWizard » November 20th, 2007, 2:55 am

Installed McAfee,

Moveit log (ver 15 has new dialog layout)

C:\WINDOWS\SYSTEM32\gyldknna.dll moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\pmnkl.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\awvst.dll not found.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N69M1703NetInstaller.exe moved successfully.
C:\Program Files\Common Files\SysProtect moved successfully.
File/Folder not found.

Created on 11/20/2007 00:25:59

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:59 AM, on 11/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Privacy Service] C:\Program Files\McAfee\MPS\mps.exe -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5301654002
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 4842 bytes
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm

Re: Virtumonde

Unread postby random/random » November 20th, 2007, 3:01 pm

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

  • Double click OTMoveIt.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to the allow clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

  1. Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  2. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  3. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  4. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  5. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  6. Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  7. Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  8. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  9. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Virtumonde

Unread postby HelpMeMrWizard » December 9th, 2007, 10:22 am

Thank you for your help (sorry I forgot to send this reply sooner).
HelpMeMrWizard
Regular Member
 
Posts: 31
Joined: March 4th, 2007, 3:24 pm

Re: Virtumonde

Unread postby askey127 » December 23rd, 2007, 7:53 am

Glad we could be of assistance. This topic is now closed. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
Please do not contact us to reopen this topic if you are not the topic starter.
A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

You can help support this site from this link : Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware