View Full Version : Tagged by Virtumonde
My spybot scan finds virtumonde and after several attempts to remove it, it returns when the computer is rebooted.
My HJT log is as follows. I will post the Kaspersky log in a new post:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:45 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189032526156
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
--
End of file - 3371 bytes
Here is the Kapersky Log file:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 06, 2007 3:12:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/11/2007
Kaspersky Anti-Virus database records: 452453
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 186519
Number of viruses found: 16
Number of infected objects: 54
Number of suspicious objects: 1
Duration of the scan process: 02:31:12
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF287B.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ANCJ2PSF\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BABL11NV\num[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BABL11NV\spot20071019[1] Infected: Trojan-Downloader.Win32.Agent.eud skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I8Q5N9CG\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PV7LRTZ4\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.an skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\V729MT6V\Setup[1].exe Infected: not-a-virus:AdTool.Win32.Zango.b skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y3OF705K\installer_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP77\A0010199.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP77\A0010199.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP77\A0010199.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP91\A0010499.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aex skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010574.dll Infected: Trojan.Win32.BHO.rg skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010584.dll Infected: Trojan.Win32.BHO.re skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010586.dll Infected: Trojan.Win32.BHO.rd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010590.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010597.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010600.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010604.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010608.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010628.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010641.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010643.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010645.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP92\A0010649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP93\A0010662.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP93\A0010702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aex skipped
C:\System Volume Information\_restore{6BDF2A4A-0836-4C57-B51B-9213130E6947}\RP93\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dwvkarlm.dll Infected: Trojan.Win32.BHO.rg skipped
C:\WINDOWS\system32\ehdoyvcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\fmqhwykf.dll Infected: Trojan.Win32.BHO.re skipped
C:\WINDOWS\system32\ivupvyve.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\mgpvaelg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\njpoioub.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\oyqscvoo.dll Infected: Trojan.Win32.BHO.rd skipped
C:\WINDOWS\system32\pbfmwvul.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\pkswcgoo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\qfctqbrd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\uwmflqxi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\WINDOWS\system32\vgdhejhp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\whrqwrns.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\wiltmtmv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\xgcasmxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\xietdcyi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\ycrhictt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\system32\ykrxnbfh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acd skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
While I was waiting for a reply to this thread, I went ahead and ran Vondofix, Spybot, and HJT. It looks like Vondofix and Spybot got most of it and I was able to clean up two additional infected registry entries with HJT.
Is there anything else I should do to ensure all remnents of this pest are gone?
Thanks for your help... Vondofix rules!
pskelley
2007-11-12, 14:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37
I was wondering why your HJT log stops at the 016 DPF items, a HJT log with this version should run to 023 or 024? Have you removed something or not posted a complete log?
Much of the Vundo infection hides from HJT and Vundofix is a great tool but often it needs help which is why we use other tools and your Kaspersky scan which show loads of infected Vundo files. I'll let you make this call, if you are satified you are clean, that great. If not, then post a complete HJT log and describe any symptoms that are occuring, and we will work from there.
Looking at Kaspersky, see these areas:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder.(not the folder)
There is a load more but Vundofix may have removed the junk, we will see.
Thanks
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.