Virtumonde - Can't remove it

**Wesley** · 2008-01-22, 18:15

Spybot pulls up a Virtumonde trojan and associated DLL when I run a scan.

I've attempted to remove it via Spybot when my internet connection was unplugged (per instructions) and it is still there after reboot. Recently I rebooted my computer and was bombarded with error reports. We're talking about 20 of them popping up immediately on reboot with me furiously clicking to finally get rid of them. I haven't experienced anything similar since, but that is what prompted the Spyware scan and now the inquiry.

Any help you can provide would be appreciated.

**ken545** · 2008-01-23, 02:01

Hello Wesley

Welcome to Safer Networking.

Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen

Download
Trendmicros Hijackthis to your desktop, double click it to install, follow the prompts
and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the
Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or
even required.

**Wesley** · 2008-01-23, 21:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:15 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\tjlqrkno.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.apexfitness.com/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcy.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [f0f44187] rundll32.exe "C:\WINDOWS\system32\jsxioyxq.dll",b
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "c:\games\valve\steam\steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131524740859
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tjlqrkno.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 7422 bytes

**ken545** · 2008-01-23, 23:22

Hello Wesley

You are indeed infected with Vundo and a few other things.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

F3 - REG:win.ini: load=C:\WINDOWS\system32\gebcy.exe

O4 - HKLM\..\Run: [f0f44187] rundll32.exe "C:\WINDOWS\system32\jsxioyxq.dll",b

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download ComboFix from Here or Here to your Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I need to see the Vundofix log, the Combofix log and a New HJT log please

**Wesley** · 2008-01-24, 00:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.apexfitness.com/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {9a0ad62d-566c-ead9-5144-1bd800c29c65} - {56c92c00-8db1-4415-9dae-c665d26da0a9} - C:\WINDOWS\system32\hkmybmlu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Steam] "c:\games\valve\steam\steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131524740859
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 7240 bytes

**Wesley** · 2008-01-24, 00:29

ComboFix 08-01-23.2 - Wes 2008-01-23 15:12:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1608 [GMT -8:00]
Running from: C:\Documents and Settings\Wes\Desktop\ComboFix(2).exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wes\Application Data\DOBE~1
C:\Documents and Settings\Wes\Application Data\DOBE~1\?dobe\
C:\Games\Valve\Steam\steam .exe
c:\games\valve\steam\steam.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon .exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\SB Drive Det\SBDrvDet .exe
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebcy.exe
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1\j?vaw.exe
C:\WINDOWS\system32\jsxioyxq.dll
C:\WINDOWS\system32\qxyoixsj.ini
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX14.tmp
C:\WINDOWS\system32\tjlqrkno.exe
C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2

Code:

 <pre>
C:\Games\Valve\Steam\steam .exe ---> QooBox
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon .exe ---> QooBox
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe ---> QooBox
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe ---> QooBox
C:\Program Files\Creative\SB Drive Det\SBDrvDet .exe ---> QooBox
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe ---> QooBox
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\DomainService
-------\nm
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 15:11 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 15:06 . 2008-01-23 15:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-23 14:41 . 2008-01-23 15:05 <DIR> d-------- C:\VundoFix Backups
2008-01-23 12:12 . 2008-01-23 12:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 23:40 . 2008-01-22 23:40 1,109,185 ---hs---- C:\WINDOWS\system32\mimvoykv.ini
2008-01-22 12:20 . 2008-01-22 12:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 12:20 . 2008-01-22 12:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-22 12:16 . 2008-01-22 12:36 256 --a------ C:\WINDOWS\system32\pool.bin
2008-01-22 11:21 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-01-22 11:20 . 2008-01-22 11:20 <DIR> d-------- C:\Program Files\Research In Motion
2008-01-22 11:20 . 2008-01-22 11:20 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-01-22 10:24 . 2008-01-22 10:24 <DIR> d-------- C:\WINDOWS\65F1CF6331E0450B96F34A88BE7361A6.TMP
2008-01-22 08:32 . 2008-01-22 11:32 1,109,125 ---hs---- C:\WINDOWS\system32\jumtsiod.ini
2008-01-22 08:27 . 2008-01-22 08:27 1,105,926 ---hs---- C:\WINDOWS\system32\shqytknh.ini
2008-01-13 11:19 . 2008-01-13 11:19 31,074 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-01-13 11:11 . 2008-01-13 11:26 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-13 11:11 . 2008-01-13 11:11 25,600 --a------ C:\WINDOWS\system32\Partizan.exe
2008-01-13 11:09 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-01-13 11:03 . 2008-01-13 11:03 336,384 --a------ C:\WINDOWS\system32\GEBCY.DLL.del
2008-01-13 10:58 . 2008-01-13 10:58 40,448 --a------ C:\WINDOWS\system32\VTUTSRO.DLL.del
2008-01-13 10:57 . 2007-11-01 05:44 60,928 --a------ C:\WINDOWS\system32\LQZLDAR.DLL.del
2008-01-13 10:56 . 2008-01-13 10:56 6,144 --a------ C:\info.exe
2008-01-10 20:38 . 2008-01-10 20:38 <DIR> d-------- C:\Program Files\CEVO
2008-01-10 20:38 . 2007-03-13 17:19 1,017,545 --a------ C:\WINDOWS\system32\cpuz.exe
2008-01-10 20:38 . 2006-03-31 14:48 119,056 --a------ C:\WINDOWS\system32\reg_c3.exe
2008-01-10 20:38 . 2007-03-13 16:26 73,728 --a------ C:\WINDOWS\system32\pv_c3.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 21:13 --------- d-----w C:\Program Files\mIRC
2008-01-22 23:40 --------- d-----w C:\Program Files\NZBomatic
2008-01-22 19:25 --------- d-----w C:\Program Files\Roxio
2008-01-22 19:25 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-01-22 19:24 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-22 18:25 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-01-13 19:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-13 19:03 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-13 16:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-08 22:10 --------- d-----w C:\Program Files\DivX
2007-12-21 03:05 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-21 03:05 --------- d-----w C:\Program Files\AIM
2007-12-20 02:46 --------- d-----w C:\Program Files\AIM6
2007-12-18 12:31 --------- d-----w C:\Program Files\Viewpoint
2007-12-18 12:15 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-06 21:37 --------- d-----w C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-06 21:37 --------- d-----w C:\Program Files\SmartFTP Client
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56c92c00-8db1-4415-9dae-c665d26da0a9}]
C:\WINDOWS\system32\hkmybmlu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"Aim6"="" []
"Steam"="c:\games\valve\steam\steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [ ]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 16:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2008-01-13 11:03 481280 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHzpColorBoost]
C:\Windows\System32\DHzpColor.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\gebcy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2005-12-21 10:52 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-22 01:56 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-09-19 00:53 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2005-09-19 00:29 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
--a------ 2004-04-23 14:28 77824 C:\Program Files\Logitech\Profiler\lwemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-06-14 17:32 132760 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2005-02-11 02:11]
R2 PfDetNT;PfDetNT;C:\WINDOWS\System32\drivers\PfModNT.sys [2006-08-11 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 16:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 15:16:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R???w0??w????*??w???w@x??O??w????m???p???????????????l???l??????????wO??w????m???p???????????????k!?s???w???w???????????w???????w??j????????w???????w???w???????s????g??w???w???????w???w???????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

**Wesley** · 2008-01-24, 00:30

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:41:21 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\dbgtenay.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebcy.exe
C:\WINDOWS\system32\hckbvaxt.dll
C:\WINDOWS\system32\hkmybmlu.dll
C:\WINDOWS\system32\kcpjcipp.dll
C:\WINDOWS\system32\tjlqrkno.exe
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dbgtenay.dll
C:\WINDOWS\system32\dbgtenay.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcy.exe
C:\WINDOWS\system32\gebcy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hckbvaxt.dll
C:\WINDOWS\system32\hckbvaxt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkmybmlu.dll
C:\WINDOWS\system32\hkmybmlu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kcpjcipp.dll
C:\WINDOWS\system32\kcpjcipp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tjlqrkno.exe
C:\WINDOWS\system32\tjlqrkno.exe Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\system32\ycbeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tjlqrkno.exe
C:\WINDOWS\system32\tjlqrkno.exe Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

**Wesley** · 2008-01-24, 00:33

I usually just use spybot search and destroy as my antivirus. I do a lot of gaming so I squeeze every bit of system resources I can by not running many background programs.

That being said, I'm over all this spyware crap so what sort of free resources should I use to alleviate the junk from coming back in?

Is hooking up my linksys router and using that as a natural firewall a good enough alternative to a software firewall? Can I get by with just spybot frequently used and updated?

I also use firefox as my default browser.

Thank you VERY much for your time and efforts.

**ken545** · 2008-01-24, 04:35

Wesley,

We will go over your security when where done, a little more to do. You were infected by a newer variant of Vundo which is a File Infector If you look at your Combofix log , the files and programs in the CODE box have been infected by this trojan, but it looks like Combofix may have fixed them.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\hkmybmlu.dll
C:\WINDOWS\system32\mimvoykv.ini
C:\WINDOWS\system32\jumtsiod.ini
C:\WINDOWS\system32\shqytknh.ini
C:\WINDOWS\system32\GEBCY.DLL.del
C:\WINDOWS\system32\VTUTSRO.DLL.del
C:\WINDOWS\system32\LQZLDAR.DLL.del
C:\info.exe

Folder::
C:\VundoFix Backups
C:\QooBox

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56c92c00-8db1-4415-9dae-c665d26da0a9}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Wesley** · 2008-01-24, 05:02

I ran combofix to your exact instructions. Everything seemed to be running just fine as before. I had to step out for a moment and came back and the computer was at the desktop with no icons, no start menu. I could still move my mouse. I presume it required a reboot and I wasn't in the room to do it so it did not reboot. I hit the reset button and it booted just fine.

Should I rerun the program?

Thread: Virtumonde - Can't remove it

Thread Tools

Display

Virtumonde - Can't remove it

Posting Permissions