possible virtumonde.generic infection [Archive]

View Full Version : possible virtumonde.generic infection

xtophe

2007-10-03, 14:13

Hello,

I have been running Spybot Search and Destroy for a few days and virtumonde.generic keep on showing up even after fixing the problem.
Any idea what's going on?
thank you.
Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:08:03, on 03/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E162049-1B0A-4956-9F0D-79EC8FFB3460} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\adobe gamma loader.exe
O4 - Global Startup: Démarrage d'Office.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk.disabled
O4 - Global Startup: Microsoft Recherche accélérée.lnk.disabled
O4 - Global Startup: Picture Package Menu.lnk.disabled
O4 - Global Startup: Picture Package VCD Maker.lnk.disabled
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170679937318
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
O20 - Winlogon Notify: ddcyyay - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\System32\Tablet.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Shaba

2007-10-04, 12:50

Hi xtophe

Please post spybot report next :)

xtophe

2007-10-04, 16:45

Hello Shabba,

You will find here below the spybot report.

thanx for helping.

--- Search result list ---
Smitfraud-C.: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}

Virtumonde.generic: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8}

Common Dialogs: History (601 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-04 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-10-04 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-10-04 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-04 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-04 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-04 Includes\Malware.sbi (*)
2007-10-04 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-10-04 Includes\PUPSC.sbi (*)
2007-10-04 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-04 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-10-04 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti (*)
2007-10-04 Includes\Trojans.sbi (*)
2007-10-04 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Shaba

2007-10-04, 16:57

Hi

Do those show again if you re-scan?

xtophe

2007-10-04, 23:18

Smitfraud and Virtumode do not show up on imediat rescan.
But they do if computer is shut down then start again, or the next day.
:red:

Shaba

2007-10-05, 10:56

Hi

Then do this.

1. Disable TeaTimer

2. Let spybot fix those entries.

3. Run computer a day without TeaTimer and tell me if they still come back.

xtophe

2007-10-06, 16:35

Hello Shabba,

Yesterday, I disabled TeaTimer after spybot had fixed the problem .
Today neither smitfraud or Virtumonde showed up.
Any idea what happened and/or what should I do next?
Thanx.
Xtophe

Shaba

2007-10-06, 17:07

Hi

Well if you re-enable TeaTimer and virtumonde shows up again I recommend to uninstall & re-install Spybot.

That should do the trick :)

xtophe

2007-10-08, 13:01

hello Shaba,

Thanx for the trick, I'll try that and I will keep you posted.
Xtophe.

Shaba

2007-10-08, 17:30

Hi

Ok, keep me informed :)

xtophe

2007-10-11, 13:51

Hello Shaba,

I've instaled the new v5.1 of SpybotSD and the problem seemed to be fixed.
thank you,
Xtophe.

Shaba

2007-10-11, 17:57

Hi

That's great :)

Any other issues?

Shaba

2007-10-18, 11:30

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.