PDA

View Full Version : Virtumonde and virtumonde.prx


caa100
2008-11-21, 22:01
First off, thanks for providing this important public service. I will be making a donation once I am sure this PC is clean.

Here is my situation:

My wife began getting a huge number of popups taking her to various web sites yesterday, including some porn stuff.
She uses IE. McAfee is installed on her PC, and reported no problems.
It was very erratic, but at times she would enter a URL and get 3 or 4 popups.

I installed and ran SpyBot Search and Destroy, which reported several exceptions related to Virtumonde and Virtumonde.prx.

Per the in-program instructions for virtumonde, I did this yesterday

allowed it to fix Virtumonde and Virtumonde.prx
disconnected from the network,
rebooted and rescanned -- It found virtumonde
Selected Fix again, then rebooted
scanned a third time, and they were no longer listed.


I should mention that I had tea timer running, which I realize was a mistake, and that it seemed to cause an exception whenever the computer tried to shut down.

Today, tea timer started reporting attempts to modify the registry. I renamed a couple of the DLL's it was referencing -- benugame.dll, and tulowifi.dll. However, it was repeatedly trying to register these and system peformance was poor.

So I came here and read the instructions.

This is what I did today:

I disabled TeaTimer, rebooted, ran the BAT file to clean up TeaTimer, Rebooted again and scanned
It reported Virtumonde.
I selected Fix, disconnected from the net, rebooted,
Scanned again, found Virtumonde again, fixed, rebooted.
Scanned a third time, virtumonde is not reported


That's where I am now. Here is the HiJack This log. (I have deleted a couple of entries that show the names of servers internal to my spouse's company.)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:42 PM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\SQLLIB\bin\db2ccs.exe
C:\SQLLIB\bin\db2jds.exe
C:\SQLLIB\bin\db2sec.exe
C:\WINDOWS\enproc.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AXP\SDS Agent 2.1\SDSAgentCtl.exe
C:\Program Files\AXP\SDS Agent 2.1\SDSService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Tivoli\Trip\trip.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\IMNNQ_NT\HTTPDL.exe
C:\IMNNQ_NT\imnsvdem.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\[edited]\Desktop\HikackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [edited]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [edited]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = [edited];<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b6dfcf4-48ca-42bb-9eea-7a03894b9dd9} - C:\WINDOWS\system32\jadelamo.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SwdisUsrPCN. [edited]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nususonoje] Rundll32.exe "C:\WINDOWS\system32\ziyewila.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [nususonoje] Rundll32.exe "C:\WINDOWS\system32\ziyewila.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nususonoje] Rundll32.exe "C:\WINDOWS\system32\ziyewila.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08d7 -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08d7 -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Cisco Security Agent.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=[edited]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https:[edited]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = [edited]
O17 - HKLM\Software\..\Telephony: DomainName = [edited]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = [edited]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = [edited]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = [edited]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = [edited]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = [edited]
O20 - AppInit_DLLs: csauser.dll C:\WINDOWS\system32\valavuja.dll c:\windows\system32\memaleho.dll c:\windows\system32\tulowifi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tulowifi.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tulowifi.dll (file missing)
O23 - Service: Access Manager Event Service (AM.EventService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - C:\SQLLIB\bin\db2ccs.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - Unknown owner - C:\SQLLIB\bin\db2sec.exe
O23 - Service: enproc - Unknown owner - C:\WINDOWS\enproc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: MCI Wireless Engine - Unknown owner - C:\Program Files\Remote Services\WENGINE2\BWEngine.exe
O23 - Service: MCI WMonitor - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE2\WMonitor.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SDS Agent Control (SDSAgentCtl) - Unknown owner - C:\Program Files\AXP\SDS Agent 2.1\SDSAgentCtl.exe
O23 - Service: SDS Install Service (SDSService) - Unknown owner - C:\Program Files\AXP\SDS Agent 2.1\SDSService.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: Tivoli Remote Execution Service (trip) - Unknown owner - C:\Tivoli\Trip\trip.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Quest Resource Updating Agent - ADR Project (Vmover.exe) - Quest Software - C:\WINDOWS\System32\vmover.exe

--
End of file - 11789 bytes
pskelley
2008-11-23, 14:41
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

This is a tough one to remove because it has the ability to morph and recreate and much of the infection can not be seen in HJT. Since you edited the domain I first need to make sure this is a personal computer, please read this:
http://forums.spybot.info/showpost.php?p=25712&postcount=5

Note: When the infected computer in question is a company machine in the workplace, and you are an employee.
Please review that information and do not proceed unless this is your own personal computer.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

3) I need to collect some information first:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks

Could you tell me why you are running an out of date Internet Explorer browswer when IE7 is more secure and IE8 is already released in beta?
caa100
2008-11-24, 00:41
OK, thanks for your response.

I am not in IT nor am I a consultant, so I thought it would be OK to post. But this is a coprporate PC, so I understand that this disqualifies me from getting help here.

My wife asked me to look at it because if she turns it over to IT she will be without if for a few days. I had been able to get rid of CoolWebSearch for her a couple of years ago, but this one is nasty. I will tell her this is more than I can handle, and have her send it along.

If this was my PC, I would nuke it and reinstall everything.

And to your comment about IE6, all I can say is I know. :rolleyes: Dont know why her co. still uses it. None of my computers at home use IE6 (or in fact any version of IE). They run Firefox with NoScript.

Thanks, and sorry that I should not have been asking for help here.
pskelley
2008-11-24, 00:48
Did you read this information:


The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
There may be more going on here than one computer?
pskelley
2008-11-30, 15:57
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.