Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

virtumonde removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

virtumonde removal

Unread postby f5spawn » November 21st, 2007, 5:06 am

Hi, I'm looking for help regarding my desktop computer and removal of the virtumonde virus. I went ahead and downloaded HiJackThis and made a logfile to upload to this forum in order for you guys to view and hopefully help me clear my computer of the virus. Thank you for the help and here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:41 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19959B63-1755-4D9E-84B3-6F4E5F561266} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B609CE0-D3BC-470F-BE78-F19B8752E8E8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {B0B99274-36C1-4FE4-A6AB-90BA96168C2E} - C:\WINDOWS\tuilvsr.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ljjifff.dll
O2 - BHO: {2dcd3aef-584f-b07b-a394-477fe55120ef} - {fe02155e-f774-493a-b70b-f485fea3dcd2} - C:\WINDOWS\system32\wxsahbgx.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: ljjifff - C:\WINDOWS\SYSTEM32\ljjifff.dll
O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5075 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am
Advertisement
Register to Remove

Re: virtumonde removal

Unread postby Gary R » November 21st, 2007, 7:50 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.



Hi f5spawn

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix will encounter a file it can't remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: virtumonde removal

Unread postby f5spawn » November 21st, 2007, 8:40 am

Hi Gary R, thanks for your help. I think I should let you know 2 things before moving on so let you know my situation. First, I've attempted a few times to fix this problem on my own and I've tried a few techniques like using ComboFix (but it's expired I assume so I can't use it) and VundoFix as you can see in the log I'm about to post. Each time, a different set of vundo files appear so I'm not sure if I should keep running VundoFix till all the files are removed or if we should attempt other methods? The other thing I wanted to mention is that I'm using NOD32 as my antivirus and it periodically informs me of Vundo files in my system and I usually just choose the option to delete them. Is this alright or should I be doing something else? Anyways, here are the VundoFix logs and a new HiJackThis log that I created after running VundoFix:


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:16:56 PM 11/20/2007

Listing files found while scanning....

C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini2
C:\windows\system32\pmnno.dll
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\pmnno.dll
C:\windows\system32\pmnno.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:26:53 PM 11/20/2007

Listing files found while scanning....

C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini2
C:\windows\system32\vturq.dll
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:41:50 PM 11/20/2007

Listing files found while scanning....

C:\WINDOWS\rsvliut.bak1
C:\WINDOWS\rsvliut.bak2
C:\WINDOWS\rsvliut.ini
C:\WINDOWS\rsvliut.ini2
C:\WINDOWS\rsvliut.tmp
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\rsvliut.bak1
C:\WINDOWS\rsvliut.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.bak2
C:\WINDOWS\rsvliut.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.ini
C:\WINDOWS\rsvliut.ini Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.ini2
C:\WINDOWS\rsvliut.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.tmp
C:\WINDOWS\rsvliut.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:20:20 AM 11/21/2007

Listing files found while scanning....

C:\WINDOWS\tuilvsr.dll

Beginning removal...

Performing Repairs to the registry.
Done!


And here are the new HiJackThis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:38 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19959B63-1755-4D9E-84B3-6F4E5F561266} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B609CE0-D3BC-470F-BE78-F19B8752E8E8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {B0B99274-36C1-4FE4-A6AB-90BA96168C2E} - C:\WINDOWS\tuilvsr.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ljjifff.dll
O2 - BHO: {2dcd3aef-584f-b07b-a394-477fe55120ef} - {fe02155e-f774-493a-b70b-f485fea3dcd2} - C:\WINDOWS\system32\wxsahbgx.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: ljjifff - C:\WINDOWS\SYSTEM32\ljjifff.dll
O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4959 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby Gary R » November 21st, 2007, 9:53 am

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
  • Select "Add More Files?" from the menu that comes up.
  • This will open a new VundoFix window that says "Paste files into the boxes below:"
  • In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\SYSTEM32\ljjifff.dll

  • Click the 'Add Files' button.
  • Click the 'Close Window' button.
  • Click the 'Remove Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: virtumonde removal

Unread postby f5spawn » November 21st, 2007, 6:33 pm

I attempted to remove the file you listed, but VundoFix could not even after prompting me to restart. I also removed a file but it keeps re-appearing when I run VundoFix. Anyways, here is the new VundoFix logs:



VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:16:56 PM 11/20/2007

Listing files found while scanning....

C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini2
C:\windows\system32\pmnno.dll
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ben\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\pmnno.dll
C:\windows\system32\pmnno.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:26:53 PM 11/20/2007

Listing files found while scanning....

C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini2
C:\windows\system32\vturq.dll
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:41:50 PM 11/20/2007

Listing files found while scanning....

C:\WINDOWS\rsvliut.bak1
C:\WINDOWS\rsvliut.bak2
C:\WINDOWS\rsvliut.ini
C:\WINDOWS\rsvliut.ini2
C:\WINDOWS\rsvliut.tmp
C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\rsvliut.bak1
C:\WINDOWS\rsvliut.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.bak2
C:\WINDOWS\rsvliut.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.ini
C:\WINDOWS\rsvliut.ini Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.ini2
C:\WINDOWS\rsvliut.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\rsvliut.tmp
C:\WINDOWS\rsvliut.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:20:20 AM 11/21/2007

Listing files found while scanning....

C:\WINDOWS\tuilvsr.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:13:58 AM 11/21/2007

Listing files found while scanning....


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 1:42:37 PM 11/21/2007

Listing files found while scanning....

C:\WINDOWS\tuilvsr.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:00:08 PM 11/21/2007

Listing files found while scanning....

C:\WINDOWS\tuilvsr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ljjifff.dll
C:\WINDOWS\SYSTEM32\ljjifff.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ljjifff.dll
C:\WINDOWS\SYSTEM32\ljjifff.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:21:42 PM 11/21/2007

Listing files found while scanning....

C:\WINDOWS\tuilvsr.dll

Beginning removal...

Performing Repairs to the registry.
Done!



And here is the new HiJackThis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:53 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19959B63-1755-4D9E-84B3-6F4E5F561266} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B609CE0-D3BC-470F-BE78-F19B8752E8E8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {B0B99274-36C1-4FE4-A6AB-90BA96168C2E} - C:\WINDOWS\tuilvsr.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ljjifff.dll
O2 - BHO: {2dcd3aef-584f-b07b-a394-477fe55120ef} - {fe02155e-f774-493a-b70b-f485fea3dcd2} - C:\WINDOWS\system32\wxsahbgx.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4973 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby Gary R » November 21st, 2007, 7:14 pm

OK, don't quite know at this point why the file won't delete.

sUBs has uploaded a new version of Combofix now, so we can have a look with that and see if it tells me something that Vundofix isn't.

First delete any versions of Combofix that you already have.

  • Download combofix.exe by sUBs to your Desktop (don't put it anywhere else please, it will cause problems later).
  • Alternate Download
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log. (it can also be found at C:\Combofix.txt)
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: virtumonde removal

Unread postby f5spawn » November 21st, 2007, 7:50 pm

Here are the ComboFix logs:

ComboFix 07-11-19.3 - Ben 2007-11-21 15:34:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -8:00]
Running from: C:\Documents and Settings\Ben\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ben\Application Data\macromedia\Flash Player\#SharedObjects\NDLGB6FJ\www.broadcaster.com
C:\Documents and Settings\Ben\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Ben\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Ben\Application Data\searchtoolbarcorp
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-21 to 2007-11-21 )))))))))))))))))))))))))))))))
.

2007-11-21 00:09 293,260 --a------ C:\WINDOWS\system32\ssqpn.dll
2007-11-20 23:09 311,296 --a------ C:\WINDOWS\system32\ssqpm.dll
2007-11-20 22:09 309,320 --a------ C:\WINDOWS\system32\vtutu.dll
2007-11-20 20:24 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-20 20:24 <DIR> d-------- C:\WINDOWS\srchasst
2007-11-20 20:24 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-20 20:16 <DIR> d-------- C:\VundoFix Backups
2007-11-20 03:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 22:24 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-15 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 22:11 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Move Networks
2007-11-07 21:55 <DIR> d-------- C:\Program Files\CEVO
2007-11-03 14:04 <DIR> d-------- C:\Program Files\Delta
2007-10-28 21:28 <DIR> d-------- C:\WINDOWS\FLV Player
2007-10-28 21:28 <DIR> d-------- C:\Program Files\FLV Player
2007-10-28 01:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-28 01:55 <DIR> d-------- C:\Program Files\Real
2007-10-27 01:47 <DIR> d-------- C:\Program Files\DivX
2007-10-26 21:52 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Grisoft
2007-10-26 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-26 21:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-21 00:13 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 12:25 --------- d-----w C:\Program Files\mIRC
2007-11-21 06:57 --------- d-----w C:\Program Files\HLSW
2007-11-20 05:23 --------- d-----w C:\Documents and Settings\Ben\Application Data\Azureus
2007-11-19 02:51 --------- d-----w C:\Program Files\FlashFXP
2007-11-06 05:59 --------- d-----w C:\Program Files\TetriNET2
2007-10-28 09:55 --------- d-----w C:\Program Files\Common Files\Real
2007-10-20 21:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2005-01-18 15:01 114,688 ----a-w C:\Program Files\Common Files\InstallDLL.exe
2005-01-17 01:01 49,152 ----a-w C:\Program Files\Common Files\CDKey.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19959B63-1755-4D9E-84B3-6F4E5F561266}]
C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B609CE0-D3BC-470F-BE78-F19B8752E8E8}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B99274-36C1-4FE4-A6AB-90BA96168C2E}]
C:\WINDOWS\tuilvsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
C:\WINDOWS\system32\ljjifff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe02155e-f774-493a-b70b-f485fea3dcd2}]
C:\WINDOWS\system32\wxsahbgx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\steam\steam.exe" [2007-11-14 15:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-16 20:22]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-28 01:55]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\ljjifff.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuilvsr]
C:\WINDOWS\tuilvsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
rundll32.exe C:\PROGRA~1\AIM\\DeadAIM.ocm,ExportedCheckODLs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
2005-10-31 11:05 278528 --a------ C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 15:49 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\Ben\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 20:24 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 io.sys;IO.DLL Driver;\??\C:\WINDOWS\system32\drivers\io.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 14:59:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 15:45:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-21 15:47:20 - machine was rebooted
.
--- E O F ---



And here are the new HiJackThis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:46 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19959B63-1755-4D9E-84B3-6F4E5F561266} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B609CE0-D3BC-470F-BE78-F19B8752E8E8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {B0B99274-36C1-4FE4-A6AB-90BA96168C2E} - C:\WINDOWS\tuilvsr.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ljjifff.dll (file missing)
O2 - BHO: {2dcd3aef-584f-b07b-a394-477fe55120ef} - {fe02155e-f774-493a-b70b-f485fea3dcd2} - C:\WINDOWS\system32\wxsahbgx.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4908 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby Gary R » November 22nd, 2007, 5:04 am

Hi f5spawn,

Looking better, but still some work to do.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Files::
C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\vtutu.dll

Folders::
C:\WINDOWS\system32\xircom
C:\WINDOWS\srchasst

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19959B63-1755-4D9E-84B3-6F4E5F561266}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B609CE0-D3BC-470F-BE78-F19B8752E8E8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B99274-36C1-4FE4-A6AB-90BA96168C2E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe02155e-f774-493a-b70b-f485fea3dcd2}]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuilvsr]


  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log. (it can also be found at C:\Combofix.txt)
Next
  • Click Start > Run and type cleanmgr then click OK.
  • This will bring up the Disk Cleanup window.
  • Check the following entries.
    • Temporary Internet Files.
    • Recycle Bin.
    • Temporary Files.
  • Click OK.
  • When a prompt pops up click Yes.
Then

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Summary of the logs I need from you in your next post:
  • Combofix log
  • Kaspersky log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: virtumonde removal

Unread postby f5spawn » November 22nd, 2007, 10:29 am

Hi GaryR, here is the ComboFix logs:

ComboFix 07-11-19.3 - Ben 2007-11-22 4:40:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT -8:00]
Running from: C:\Documents and Settings\Ben\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ben\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 00:09 293,260 --a------ C:\WINDOWS\system32\ssqpn.dll
2007-11-20 23:09 311,296 --a------ C:\WINDOWS\system32\ssqpm.dll
2007-11-20 22:09 309,320 --a------ C:\WINDOWS\system32\vtutu.dll
2007-11-20 20:24 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-20 20:24 <DIR> d-------- C:\WINDOWS\srchasst
2007-11-20 20:24 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-20 20:16 <DIR> d-------- C:\VundoFix Backups
2007-11-20 03:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 22:24 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-15 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 22:11 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Move Networks
2007-11-07 21:55 <DIR> d-------- C:\Program Files\CEVO
2007-11-03 14:04 <DIR> d-------- C:\Program Files\Delta
2007-10-28 21:28 <DIR> d-------- C:\WINDOWS\FLV Player
2007-10-28 21:28 <DIR> d-------- C:\Program Files\FLV Player
2007-10-28 01:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-28 01:55 <DIR> d-------- C:\Program Files\Real
2007-10-27 01:47 <DIR> d-------- C:\Program Files\DivX
2007-10-26 21:52 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Grisoft
2007-10-26 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-26 21:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 06:19 --------- d-----w C:\Program Files\FlashFXP
2007-11-22 06:08 --------- d-----w C:\Program Files\mIRC
2007-11-22 06:08 --------- d-----w C:\Documents and Settings\Ben\Application Data\Azureus
2007-11-21 13:38 302,020 ----a-w C:\WINDOWS\system32\jkkli.dll
2007-11-21 10:09 312,240 ----a-w C:\WINDOWS\system32\jkhhg.dll
2007-11-21 09:09 311,460 ----a-w C:\WINDOWS\system32\gebca.dll
2007-11-21 06:57 --------- d-----w C:\Program Files\HLSW
2007-11-06 05:59 --------- d-----w C:\Program Files\TetriNET2
2007-10-28 09:55 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-28 09:55 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\DllCache\shell32.dll
2007-10-20 21:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 08:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 08:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 08:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 08:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 08:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 08:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 08:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 08:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 08:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 08:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 08:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 08:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 08:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 08:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 08:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 08:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 08:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 08:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 08:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 08:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 08:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 08:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 08:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 08:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 08:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\DllCache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\DllCache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\DllCache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\DllCache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\DllCache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\DllCache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\DllCache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\DllCache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\DllCache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\DllCache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\DllCache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\DllCache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\DllCache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\DllCache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\DllCache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\DllCache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\DllCache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\DllCache\browseui.dll
2005-01-18 15:01 114,688 ----a-w C:\Program Files\Common Files\InstallDLL.exe
2005-01-17 01:01 49,152 ----a-w C:\Program Files\Common Files\CDKey.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\steam\steam.exe" [2007-11-14 15:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-16 20:22]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-28 01:55]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuilvsr]
C:\WINDOWS\tuilvsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
rundll32.exe C:\PROGRA~1\AIM\\DeadAIM.ocm,ExportedCheckODLs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
2005-10-31 11:05 278528 --a------ C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 15:49 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
C:\Program Files\Octoshape Streaming Services\Ben\OctoshapeClient.exe -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 20:24 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 io.sys;IO.DLL Driver;\??\C:\WINDOWS\system32\drivers\io.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 14:59:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 04:43:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 4:43:55
C:\ComboFix2.txt ... 2007-11-21 15:47
.
--- E O F ---
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby f5spawn » November 22nd, 2007, 10:30 am

And here are the Kaspersky Online Scanner logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 22, 2007 6:27:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/11/2007
Kaspersky Anti-Virus database records: 463613
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 55050
Number of viruses found: 12
Number of infected objects: 57
Number of suspicious objects: 0
Duration of the scan process: 01:10:21

Infected Object Name / Virus Name / Last Action
C:\1C7.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\1C7.tmp NSIS: infected - 1 skipped
C:\1C9.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1C9.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1C9.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1C9.tmp NSIS: infected - 3 skipped
C:\462.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\462.tmp NSIS: infected - 1 skipped
C:\463.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\463.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\463.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\463.tmp NSIS: infected - 3 skipped
C:\4AA.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\4AA.tmp NSIS: infected - 1 skipped
C:\4AB.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\4AB.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\4AB.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\4AB.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\history.dat Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\key3.db Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50a55d63-6da21f63.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50a55d63-6da21f63.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50a55d63-6da21f63.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-50a55d63-6da21f63.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-1d6514b8.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-1d6514b8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-224111f8.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-224111f8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-22349807.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-22349807.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-48e7a770.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-48e7a770.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ben\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Application Data\Mozilla\Firefox\Profiles\pqvi0ate.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ben\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ben\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\B2IDNNAA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Program Files\ESET\infected\EAGM43DA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Program Files\ESET\infected\HNOVT4AA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\IHCNZ2CA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\JPW14UCA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\JQUTFOBA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\KW22GZDA.NQF/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\ESET\infected\KW22GZDA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\KW22GZDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\PKVGVNAA.NQF/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Program Files\ESET\infected\PKVGVNAA.NQF/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\Program Files\ESET\infected\PKVGVNAA.NQF/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\Program Files\ESET\infected\PKVGVNAA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\PKVGVNAA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\infected\SUWCAPBA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\VP5BOYCA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\YPJBXTAA.NQF/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Program Files\ESET\infected\YPJBXTAA.NQF/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\Program Files\ESET\infected\YPJBXTAA.NQF/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\Program Files\ESET\infected\YPJBXTAA.NQF NSIS: infected - 3 skipped
C:\Program Files\ESET\infected\YPJBXTAA.NQF PE-Crypt.XorPE: infected - 3 skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Counter-Strike\cs stuff - CLEAN UP\mirc612.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
E:\Counter-Strike\cs stuff - CLEAN UP\mirc612.exe mIRC: infected - 1 skipped
E:\shared\lexiconscript.zip/Lexiconscript32.exe/Lexicon.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
E:\shared\lexiconscript.zip/Lexiconscript32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
E:\shared\lexiconscript.zip ZIP: infected - 2 skipped
E:\Steam\Steam.log Object is locked skipped
E:\Steam\SteamApps\winui.gcf Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby f5spawn » November 22nd, 2007, 10:31 am

Finally, here is the new HiJackThis logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:59 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4536 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby Gary R » November 22nd, 2007, 11:32 am

OK, almost clear, just a couple of things to do.

Run a scan with HJT and when finished check the following items (if found).

O20 - Winlogon Notify: tuilvsr - C:\WINDOWS\tuilvsr.dll (file missing)

Now close all open windows and click Fix Checked to remove them.

Question: Did you set the following to your Trusted Zones in Internet Explorer?

O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com


If not, add them to the items to be removed using HJT.

Next

Clean out your Java cache, there are infected files in it.

  • Click Start > Control Panel > double-click on the Java Icon (coffee cup) in the Control Panel.
  • On the General tab, under Temporary Internet Files, click the Delete Files... button.
  • There are three options in the window to clear the cache - Leave ALL 3 ticked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Let me know if you have any problems.

Download OTMoveIt by OldTimer to your Desktop.
  • Double click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\1C7.tmp
C:\1C9.tmp
C:\462.tmp
C:\463.tmp
C:\4AA.tmp
C:\4AB.tmp

  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the programme.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
  • Post the log back here please.

Run a new HJT scan and send me the log please.

Summary of the logs I need from you in your next post:
  • OTMoveIt
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: virtumonde removal

Unread postby f5spawn » November 22nd, 2007, 11:40 am

I deleted the first file with HiJackThis along with the other 2 files you mentioned as I don't remember ever doing it so I just removed it. Anyways, here is the OTMoveIT log that was produced:

C:\1C7.tmp moved successfully.
C:\1C9.tmp moved successfully.
C:\462.tmp moved successfully.
C:\463.tmp moved successfully.
C:\4AA.tmp moved successfully.
C:\4AB.tmp moved successfully.

Created on 11/22/2007 07:39:18
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby f5spawn » November 22nd, 2007, 11:41 am

And here is the new HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:03 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "e:\steam\steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4300 bytes
f5spawn
Regular Member
 
Posts: 26
Joined: October 7th, 2007, 12:15 am

Re: virtumonde removal

Unread postby Gary R » November 22nd, 2007, 12:06 pm

OK, looks good.

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately. Besides they're updated regularly so won't be of any use against future infections
  • Double click OTMoveIt.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt
  • Now delete OTMoveIt.exe (if present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.
Below are a series of recommendations which will help you keep more secure online.

Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

THESE STEPS ARE VERY IMPORTANT

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
  • Reboot.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check *Turn off System Restore*.
    • Click Apply, and then click OK.
  • NOTE: only do this once, NOT on a regular basis.
Update your Java.
Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Download the latest version of Java Runtime Environment (JRE) 6u3, and install it to your computer.

Updating Windows and Internet Explorer
It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

Use a "secure" browser
Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

  • Adaware SE Personal
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
  • Spybot S & D
    Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
  • SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
  • IE Spyad
    It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
  • Hosts file:
  • Make sure you read the instructions on how to install the hosts file, here.

    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
  • If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - LIST of free Anti virus programs
  • Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one.
  • Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Here's links to a few articles which are well worth reading

Finally
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is Vundo....... (if not, post in the Is your infection not listed here? topic). Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to government or government agencies that something will get done.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware