PDA

View Full Version : I got the Virtumonde blues



captainaviator
2008-09-01, 07:39
hi, this is my first time posting. i recently acquired virtumonde and some other malware (like XPGuard), and I've seemingly managed to rid my system of all malware but virtumonde. I'm running updated versions of both spybot s&d and also Adaware SE Personal. I also have McAfee and that runs completely in the background updating itself and running checks daily (without my noticing, therefore I'm unsure what it finds and deletes)
For some reason I cannot open internet explorer (nothing happens when i do, the process shows up in the task manager, but goes away)
my symptoms include:
-slower internet
-slower computer when opening programs
-random pictures on websites get transformed into clickable ads about my computer may be infected or something

spybot detects virtumonde, and successfully gets rid of whatever it finds. but it comes right back. During the scans it promps me to reboot and scan again, i click yes, it finishes scanning giving me that same prompt a few more times, it gets rid of whatever virtumonde stuff it finds, i restart the computer, it runs before windows finishes starting up, and promps me to reboot and scan again (in mid-scan). I spent a day repeating this process in safe mode with my computer unplugged from the internet. Didnt work.

on another note we just got HughesNet, It's satellite internet and we can only download 425 meg in a 24 hour period:sad:. If i have to download anything large, i can only download it between 3am to 6am central time, as downloads during that time aren't counted towards the 425meg/24hr period.
I might not have the ability to stay up that late to start a download, and since the internet runs extra slow at that time (from everyone on this ISP downloading then), it might be necessary for me to stay up until 6am to pause the DL for another night. therefore i would appreciate any methods that would include not downloading large files (close to or bigger than 425meg).

my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:08 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM3fbcae0a] Rundll32.exe "C:\WINDOWS\system32\hoikuaym.dll",s
O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8399] command /c del "C:\WINDOWS\system32\wvUljGYO.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2691] cmd /c del "C:\WINDOWS\system32\wvUljGYO.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/EconCVX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gix
O17 - HKLM\Software\..\Telephony: DomainName = gix
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gix
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xbhaia.dll bjcglh.dll roxkbe.dll vqqhwo.dll txpbvr.dll apzdpo.dll fkruqp.dll zzcjzg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 8151 bytes

pskelley
2008-09-01, 23:21
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

You have a Vundo infection which is bad enough, but this is the one that worries me:
O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe
http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotabm.html
W32/Sdbot-ABM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.liutilities.com/products/wintaskspro/processlibrary/windir32/
In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

captainaviator
2008-09-02, 03:20
wow, this is a lot more serious than i thought. thank you for giving me the heads up. I'm posting from my laptop now, and the infected PC is disconnnected from the internet.
is there any way of telling how long the possible backdoor trojan has been on my computer? I mean, i have a general idea, because of when the symptoms popped up, but is there any way of telling when they got there?
I don't think I've done much on there that's too sensitive since the problems started, but its better to be on the safe side.
I also have a feeling the problems came from accidentally visiting a website that had obviously been infiltrated by a team of hackers from Israel (they were proud of their accomplishment). It seems as though the hackers were attacking the owners of the site, but could also have had it set up so any computers visiting the site would be compromised. I also don't have any enemies who would want to harm me this way, and i certainly haven't had anyone actually sit at my computer who was capable of this, at least since a while before this whole thing started.
So if i am being targeted it's probably (from my knowledge) from someone remotely and not because its me, but rather because I'm someone to target.
Either way, i've been meaning to completely upgrade my computer anyway, but not quite this soon. This however might be the time to do it. If i do, i might just end up upgrading the OS to vista.
I do have a lot of stuff on my computer, and i would like to keep it. Would it be safe to move all the files i would like to save to an external hard drive? or is there a risk that infections could get passed onto the new hard drive through moving large amounts of files? (like entire programs i may have lost the install disks to)

Oh, and i did read through "before you post" and the links you sent me

I'm going to check over a few things before i decide to go ahead with reformatting and reinstalling, and if i decide to, I'll post again with my final decision. But in the mean time, would you like to go ahead and see what we can do with cleaning this thing?

thanks

pskelley
2008-09-02, 03:36
I posted the name of the trojan, you would need to search for it but it is probably in the System32 folder. It may also be hidden, so you would need to enable view of all files and folder.

I am a volunteer with only so much time to give and I am helping 70 plus folks as we speak. I have no time to waste, at my age, so if you are going to reformat...

Thanks

pskelley
2008-09-08, 17:07
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.