PDA

View Full Version : murlo and virtumonde help please



Bnapier
2008-02-21, 23:31
I sure hope I am doing this correctly, but I need help with removing these tow items. My daughter filled her Dell PC with malware, trojans and the like. I have removed all but the two mentioned in the title of this post. I have run the spybot, avast, and system suite 8 several times to a point where I believe the machine is happy. Because of the Murlo.ff.rtk thing - the computer is denied internet access. (The virtumonde says it is fixed but will show up again if I cold boot the machine and re-run spybot.

I have run the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:05 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\FAF701FEFE04F.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WISPTIS.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\khfddbx.dll (file missing)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {1CCBED22-84E7-4273-B826-DAFD422AF7FF} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {312366D1-3DDE-44EF-B3EF-EFB128167314} - (no file)
O2 - BHO: (no name) - {338A37DF-FA08-4049-AADC-E01CEF78F5DB} - (no file)
O2 - BHO: (no name) - {3469F879-054E-4682-967E-164B43B3919B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {4E5992DF-B503-4F2D-BD49-569B66677DA0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {5f21b25d-988f-ed7a-50f4-93075a1f6ca8} - {8ac6f1a5-7039-4f05-a7de-f889d52b12f5} - C:\WINDOWS\system32\uawjapve.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - supstar1.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A4F3A2F7-1CB3-401D-8EF0-8E473D947728} - (no file)
O2 - BHO: (no name) - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {C2FDB7B2-8158-4F6C-B676-F2D2631DF727} - C:\Program Files\Outlook Express\vuci89104.dll
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d839110c-391d-44c2-b8f1-98f266dd4f48} - C:\WINDOWS\system32\qwwibqa.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DEF42F68-71D1-4BA7-B68C-5189ECC35AAE} - (no file)
O2 - BHO: (no name) - {E457D91C-CB08-401D-8579-B74250153145} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EA816D6E-27B7-4FB3-8912-171D23928D3A} - (no file)
O2 - BHO: (no name) - {F4E48E29-6D2D-4FDF-B818-2298E3263E7B} - (no file)
O2 - BHO: (no name) - {F909CFA4-13E5-4E9D-8D45-7C72345D8596} - (no file)
O2 - BHO: (no name) - {FACA67CB-6421-4179-909F-5B46C2DB1180} - (no file)
O2 - BHO: (no name) - {FCB9CE86-FE5A-4EF1-B641-EBB779621D7E} - (no file)
O2 - BHO: (no name) - {FD14C570-C450-4498-A294-57B53E0EE593} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA2314] command /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1669] cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [SpybotDeletingB1731] command /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8452] cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [SpySweeper] (User '?')
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\RunOnce: [SpybotDeletingB1731] command /c del "C:\WINDOWS\Temp\startdrv.exe" (User '?')
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: khfddbx - khfddbx.dll (file missing)
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10958 bytes


Kapersky log to follow

Bill

Bnapier
2008-02-21, 23:47
Virtumonde: [SBI $423524991 User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3028355049-4064157817-348378932-1006\Software\Microsoft\rdfa
Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACI-IINE\SOFTWARE\Microsoft\aoprndtws
Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3028355049-4064157817-348378932-1006\Software\Microsoft\aldd
Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Autorun settings (startdrv) (Registry value, fixing failed) HKEY_LOCAL_MACHINE\SOFflNARE\Microsoft\Windows\CurrentVersion\Run\startdrv
Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Program file (File, fixed)
C:\WINDOWS\Temp\startdrv.exe
Spybot - Search & Destroy version: 1.5 (build: 20070830)
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-11-16 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dlI (2.1.0.0)
2007-04-02 DelZipl79.dIl (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-12-12 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (<)
2007-12-12 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (<)
2007-12-12 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (K)
2007-12-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (9
2007-12-12 Includes\MalwareC.sbi (K)
2007-10-24 Includes\PUPS.sbi (9
2007-12-12 Includes\PUPSC.sbi (K)
2007-12-12 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (9
2007-12-12 Includes\SecurityC.sbi (9
2007-11-07 Includes\Spybots.sbi (*)
2007-12-12 Includes\SpybotsC.sbi (9
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (9
2007-12-12 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dIl


I was reading through other members whom you have helped and I noticed that you handle each case individually...is there no universal procedure to remove these things?

Also, for what it is worth, it takes quite a while for the computer to start Spybot.

If it helps, I am fairly well versed in DOS if anyone still uses it!

Bill

Blade81
2008-02-27, 21:28
Hi

1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall



I was reading through other members whom you have helped and I noticed that you handle each case individually...is there no universal procedure to remove these things?
No, in these cases there's no universal procedure to removing.

Blade81
2008-03-02, 18:57
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.