PDA

View Full Version : Virtumonde .dll & Media update


luvyou2
2008-04-01, 23:37
I have tried everything to delete these. Even manually. I may have finally deleted the MediaUpdate. I CANNOT delete Virtumonde.dll I had 2 Virtumonde files, but I deleted one somehow. Please help. Below is a log file from HJT

This was first one I ran,below it the 2nd one.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:01 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\khfEUmnk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {D459A896-AAC2-44BC-A073-440E879A06D3} - C:\WINDOWS\system32\urqPjGab.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA1717] command /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4235] cmd /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7829] command /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6730] cmd /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4286] command /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4] cmd /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7319] command /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2556] cmd /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunOnce: [SpybotDeletingB9015] command /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5979] cmd /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1565] command /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1136] cmd /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7795] command /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5155] cmd /c del "C:\WINDOWS\system32\geBrqrSl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6315] command /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3559] cmd /c del "C:\WINDOWS\system32\urqPjGab.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: khfEUmnk - khfEUmnk.dll (file missing)
O21 - SSODL: sxfnewqb - {A5C380C6-9BDF-4949-AC37-9634A4B147C3} - C:\WINDOWS\sxfnewqb.dll (file missing)
O21 - SSODL: fkdnrwsv - {CEC6B69C-93D0-48BE-8015-2F77B2F20977} - C:\WINDOWS\fkdnrwsv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5233 bytes

Here is the 2nd one I ran after having HJT fix it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:59 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {D459A896-AAC2-44BC-A073-440E879A06D3} - C:\WINDOWS\system32\urqPjGab.dll (file missing)
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 1922 bytes

I am running Windows XP...Thank you so much for any help you give me to remove this...:hair:
Shaba
2008-04-03, 11:46
Hi luvyou2

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report
Shaba
2008-04-10, 14:43
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.