Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde and virtumonde.dll I'm new here is my hijack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby Blade81 » April 23rd, 2008, 3:59 pm

Hi

Are you able to access system restore management? We could try to restore back to date before all these problems started in case there's suitable system restore point available.

Here is instructions for doing system restore.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 23rd, 2008, 5:03 pm

No because it (the virus) deleted all of them and the earliest restore time, there are only 4, is April 18, which is the day after the freaking thing attacked my system. I already thought of that, smile. I found internet explorer now, it was disabled, lol. But...when I double click on it it just flashes and disappears, who knows. Does my computer look rid of infection now?
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 23rd, 2008, 5:06 pm

It opens system restore but the option to choose another restore time is completely gone, it only gives you that one choice to restore from the day the virus attacked. It shows no time or anything only the top half of the box shows and gives you only that one choice. It's rediculous.
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 23rd, 2008, 5:08 pm

If you look at line 06 of my last hijack log why does it say that there are internet explorer restrictions present?? Is that the problem??
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby Blade81 » April 24th, 2008, 3:16 am

If you look at line 06 of my last hijack log why does it say that there are internet explorer restrictions present?? Is that the problem??


Hi

No, that's shouldn't prevent IE from opening.

Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 24th, 2008, 3:47 am

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-24 02:45:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT A5BFA9EC ZwCreateThread
SSDT A5BFA9D8 ZwOpenProcess
SSDT A5BFA9DD ZwOpenThread
SSDT A5BFA9E7 ZwTerminateProcess
SSDT A5BFA9E2 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwQueryLicenseValue + D41 81E9EBB9 1 Byte [ 06 ]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EFFAA8 4 Bytes [ EC, A9, BF, A5 ]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81EFFC78 4 Bytes [ D8, A9, BF, A5 ]
.text ntkrnlpa.exe!KeSetTimerEx + 640 81EFFC94 4 Bytes [ DD, A9, BF, A5 ]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81EFFEA8 4 Bytes [ E7, A9, BF, A5 ]
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 81EFFF08 4 Bytes [ E2, A9, BF, A5 ]
_PAGELK C:\Windows\system32\ntkrnlpa.exe entry point in "_PAGELK" section [0x81F334B0]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

---- Processes - GMER 1.0.14 ----

Process (*** hidden *** ) [0] 21420232

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ssmdrv\Products@Avira AntiVir Personal \x2013 Free Antivirus C:\Program Files\Avira\AntiVir PersonalEdition Classic\??????????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet003\Services\ssmdrv\Products@Avira AntiVir Personal \x2013 Free Antivirus C:\Program Files\Avira\AntiVir PersonalEdition Classic\??????????????????????????????????????????????????????????????????????????
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentVersion 6.0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentBuildNumber 6001
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@ProductName Windows Vista (TM) Home Premium
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CSDVersion Service Pack 1
Reg HKLM\SOFTWARE\Classes\CLSID\{96F7CB97-7C49-430C-84DE-D9567D0DE628}\InprocServer32@ C:\Windows\system32\qoMFxWPi.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{96F7CB97-7C49-430C-84DE-D9567D0DE628}\InprocServer32@ThreadingModel Both
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0805CD5-B453-F844-E778-6C9C13CD4D5A}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0805CD5-B453-F844-E778-6C9C13CD4D5A}@bbiilnlkidlpfmbkdedhnkgdckpahagbhhme 0x61 0x62 0x6E 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0805CD5-B453-F844-E778-6C9C13CD4D5A}@abiilnlkidlpfmbkdeahoanmjcfengakhl 0x65 0x62 0x69 0x69 ...

---- EOF - GMER 1.0.14 ----
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby Blade81 » April 25th, 2008, 12:17 am

Hi

Sorry for not replying sooner.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the
    Scan
    -tab, remove the mark at
    Heuristic analysis
    .
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.



When did you install service pack 1? Was it before these problems first occured? Could you try creating another account and see if system worked correctly using it?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 25th, 2008, 12:45 am

It's ok, I'm sure you are busy, oh and might want to sleep once in awhile too, ha. Service pack 1 was installed as an automatic windows update and it was AFTER this crap unfortunately. This thing attacked me on or around the 18th or a couple days before and service pack came on 20 or 21st. I think, lol. I'm doing the dr web cure it thing I'll post when I'm done in a moment.
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 25th, 2008, 12:56 am

I can't create another account it won't let me. I can't even go into my OWN administrative account and turn UAC on or off, it won't let me do ANYTHING, frustrating. I completed the initial express scan of dr web and it found NOTHING. I noticed on my last hijack that freaking qowb blah whatever virus file was hidden there still. This is a NASTY beast. What is wrong with freaking people?, I'm running the complete scan now, looks like it will take a bit of time be back in 10 or 15.
Deb
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby wilsonstreasures » April 25th, 2008, 3:19 am

ok here is DrWeb log first:
RegUBP2b-Debbie.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
PSEXESVC.EXE;C:\Windows;Program.PsExec.170;Incurable.Moved.;
ssaver.reg;C:\Windows\System32;Trojan.StartPage.1505;Deleted.;

Now here is new hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:55 AM, on 4/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4654 bytes
wilsonstreasures
Regular Member
 
Posts: 17
Joined: April 20th, 2008, 8:04 pm

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby Blade81 » April 25th, 2008, 11:36 am

Hi

Your system seems to be so badly messed up that I'm afraid the only sensible solution is to reformat. Instructions can be found here. Please let me know if you have any questions in your mind.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Virtumonde and virtumonde.dll I'm new here is my hijack

Unread postby NonSuch » May 2nd, 2008, 11:16 pm

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware