PDA

View Full Version : Virtumonde won't go away


slk12
2008-06-24, 23:19
I have been running spybot scans, Vexira, and Norton for the past month. I keep getting "Virtumonde" and "Virtumonde.dll" listed as problems, among other adware. I click on the fix tab, and it appears to be removed. I have rescanned with the machine off line until I get a message stating that everything is clean. As soon as I try to connect to the internet, especially when I try to do a google search, the pop ups begin. Eventually the entire system freezes. I have tried to download windows updates, but I get messages that I am unable to complete these downloads. My windows firewall tells me that windows update is disabled. I enable it, but each time I open IE it is disabled again. I have very little experience with these matters, and am wondering if this is repairable, or if I need a new computer. I am running windows XP.
Blade81
2008-06-25, 20:10
Hi slk12

BEFORE you POST (READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) ;)


Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here. :)
slk12
2008-06-27, 03:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:45 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\DRIVERS\PRINTER\540\StatMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\ZoomText 9.1\Zt.exe
C:\Program Files\ZoomText 9.1\ZER.exe
C:\Documents and Settings\Kris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cleveland.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {213732B8-576E-4E8F-A9EB-614DC8260E0C} - C:\WINDOWS\system32\rqRHxxyY.dll (file missing)
O2 - BHO: (no name) - {23C72116-EF15-421B-BBF2-41B9494391DF} - (no file)
O2 - BHO: (no name) - {31711A8C-FC23-4A69-8EE1-0B2BA07B3B42} - C:\WINDOWS\system32\tuvSkKCt.dll (file missing)
O2 - BHO: (no name) - {3417FB45-4934-4249-9C0A-E80CB02194BF} - (no file)
O2 - BHO: (no name) - {36D9CB8D-B8CA-4A85-A879-06A71109F11E} - C:\WINDOWS\system32\qoMfgHaw.dll
O2 - BHO: (no name) - {36FA8A89-A208-40A6-A383-80367EF19218} - (no file)
O2 - BHO: (no name) - {39faff14-1eb6-4105-aa6c-96bfd932b5f2} - (no file)
O2 - BHO: (no name) - {3CEEBEA5-BFD9-4DC4-9C88-0AA558F68A96} - (no file)
O2 - BHO: (no name) - {46E66099-8B12-4757-A91D-BB7760F7580A} - C:\WINDOWS\system32\hgGxXnLF.dll (file missing)
O2 - BHO: (no name) - {4EC4A9FE-6AD9-403B-9690-47BA956AE7A1} - C:\WINDOWS\system32\rqRLbxVn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61B9FEF7-25A8-447A-9238-54F2C62A9BF3} - (no file)
O2 - BHO: (no name) - {6598C1FA-3E96-402F-A5DA-1A7A3B899949} - (no file)
O2 - BHO: (no name) - {73BACEDA-8360-46E1-8A65-4F33F06A69E5} - C:\WINDOWS\system32\opnkjHAq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {78DEA175-20CA-42B6-B877-DFED19813C06} - C:\WINDOWS\system32\ddcYoLFx.dll (file missing)
O2 - BHO: (no name) - {7BE3558C-1093-44AD-A7A8-402050E4B496} - (no file)
O2 - BHO: (no name) - {90C102BB-3976-47AA-87DB-3676D9A03CE4} - C:\WINDOWS\system32\hgGxYOFv.dll (file missing)
O2 - BHO: (no name) - {A2E49385-A221-4F50-88AA-9CC39A8CF6C9} - (no file)
O2 - BHO: (no name) - {A3A4D80F-818B-4D00-B920-BEF6D98F984A} - C:\WINDOWS\system32\yayxwVPJ.dll (file missing)
O2 - BHO: (no name) - {A5F722E5-6FDB-4944-88CE-3CC9E3232BD0} - C:\WINDOWS\system32\xxyxVpMC.dll (file missing)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BC6F1873-61A5-4CED-922E-7C6A973A9007} - (no file)
O2 - BHO: (no name) - {bdb1b027-ab61-4bbb-bd62-87b3ba20a90c} - (no file)
O2 - BHO: (no name) - {BEBA8641-9370-4D20-ADAC-5A50EEA684A3} - (no file)
O2 - BHO: (no name) - {C07A4156-7CB4-42FC-B010-5A2CFC4F7336} - (no file)
O2 - BHO: (no name) - {C8505F99-3F06-465E-B022-29C076CF734A} - C:\WINDOWS\system32\urqOGXrO.dll (file missing)
O2 - BHO: (no name) - {CE226DDE-AB4E-42A5-8EF4-827505A99A09} - C:\WINDOWS\system32\xxywWoNH.dll (file missing)
O2 - BHO: (no name) - {d52eb045-3f5c-4c10-84c0-1238947aafd8} - (no file)
O2 - BHO: (no name) - {D882F162-B052-446B-A8A4-5064FC57FF02} - (no file)
O2 - BHO: (no name) - {D9C62929-EC28-42D8-899F-A3EFC2F18177} - C:\WINDOWS\system32\qoMggfdE.dll (file missing)
O2 - BHO: (no name) - {E58AF927-C323-4A21-8DF3-102F85179A88} - C:\WINDOWS\system32\nnnnLcyV.dll (file missing)
O2 - BHO: (no name) - {E5B936E4-469C-4B62-9B8D-2152CCBA3DA9} - C:\WINDOWS\system32\ssqNHbYP.dll (file missing)
O2 - BHO: (no name) - {E68727CF-6E7F-40F0-B646-1BF41FA9E1F5} - (no file)
O2 - BHO: (no name) - {F07CCF52-A313-4FDC-815F-D578181577BB} - (no file)
O2 - BHO: (no name) - {F4189D4C-B3D2-4DED-ACE7-A17C377D6409} - C:\WINDOWS\system32\opnlIcDu.dll (file missing)
O2 - BHO: (no name) - {F5039FAE-FC4A-4763-98EA-9085AFA18D39} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellStatusMonitor] "C:\DRIVERS\PRINTER\540\StatMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [BMe3fdc030] Rundll32.exe "C:\WINDOWS\system32\uepqktwd.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Creative Detector U] "C:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Kris\Desktop\Erich\Job Search\New Folder\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156780487340
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O20 - AppInit_DLLs: qjueshgf.dll
O20 - Winlogon Notify: qoMfgHaw - C:\WINDOWS\SYSTEM32\qoMfgHaw.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe

--
End of file - 12632 bytes
Blade81
2008-06-27, 08:36
Hi

Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)