Virtumonde infection [Archive] - Safer-Networking Forums

View Full Version : Virtumonde infection

Lima33

2010-10-09, 00:01

Hi Guys,
I am infected with virtumonde. Spybot scans several 100,000 virtumonde files but does not recognise them as a problem. I have clean installed Windows XP home edition but it has made no difference - they are still there. I hope I have attached files properly as requested. Any help would be very much appreciated.

Lima33

DDS (Ver_10-10-05.01) - NTFSx86
Run by Steven at 22:17:40.07 on 08/10/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.447.104 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Steven\Local Settings\Temporary Internet Files\Content.IE5\WLM38H2N\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tiscali.co.uk
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\steven\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-10-08 20:34:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 20:34:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-08 20:22:44 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-10-08 20:22:33 -------- d-----w- c:\program files\Tiscali
2010-10-08 20:22:33 -------- d-----w- c:\docume~1\steven\locals~1\applic~1\Siemens

==================== Find3M ====================

2010-10-07 21:30:09 49262 ----a-w- c:\windows\system32\jpicpl32.cpl

============= FINISH: 22:18:28.43 ===============

tashi

2010-10-09, 00:15

Hello Lima33,

Hi Guys,
I am infected with virtumonde. Spybot scans several 100,000 virtumonde files but does not recognise them as a problem. I have clean installed Windows XP home edition but it has made no difference - they are still there.

During the running of a Spybot scan ("Check for problems") the status bar in the lower left hand corner of the screen displays the products Spybot-S&D is currently searching for.

It does not mean that these items are on your PC. :) When the scan completes the results are displayed and in your case, as described, no threats were found.

Best regards.

Lima33

2010-10-09, 04:09

That sounds like very good news, but I have tried this previously and before I have put anything back on the computer it starts wanting to change the home page. But it sounds like I am concerning myself about a problem I do not have. Thankyou very much for your assistance.

Lima33

tashi

2010-10-09, 19:36

Hello Lima33,

That sounds like very good news, but I have tried this previously and before I have put anything back on the computer it starts wanting to change the home page. But it sounds like I am concerning myself about a problem I do not have. Thankyou very much for your assistance.

Lima33
I misunderstood thinking you were speaking of the items Spybot-S&D scanned for. :)

The log is clean but while you are here,

Please open Spybot Search & Destroy > Help > About and let us know the version and date of last definitions.

No anti virus program is installed, did you have one previously?

Update Java. Sun Microsystems~Java. Security vulnerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2)

IE6 is antiquated and vulnerable to exploits. ;) Please go to the windows update site (http://windowsupdate.microsoft.com/) to get critical updates as it is important to update Windows and Internet Explorer to protect your computer.

Best regards.

Lima33

2010-10-09, 21:44

Its is Spybot version 1.6.2.46 & the date is 6/10/2010
I had Norton security but I have not reinstalled anything on it yet.
You were correct - I was referring to the information in the lower left corner.
It has again started wanting me to change the home page and it has put an icon on the desktop called 'browser choice'. I did not think this was normal but maybe it is - I dont know a lot about computers.
Thankyou very much
Lima33

tashi

2010-10-09, 22:13

Hi there,

It has again started wanting me to change the home page and it has put an icon on the desktop called 'browser choice'.

By 'it" are you referring to your browser Internet Explorer 6? :)

What is the Browser Choice update? (KB976002)
http://windows.microsoft.com/en-gb/windows/what-is-the-browser-choice-update

As you are on the Internet you really need to get your anti virus program installed, updated and running. :)

Lima33

2010-10-10, 03:13

How do I know if it is Internet Explorer 6? I did say I did not know much about computers!

tashi

2010-10-10, 03:32

How do I know if it is Internet Explorer 6?

Hello Lima33,

Your log shows: Internet Explorer: 6.0.2900.2180.

Also when Internet Explorer is open there is a menu bar at the top of the screen. Help> About Internet Explorer, which gives you the version. :)

tashi

2010-10-10, 18:01

Hello Lima33,

This topic was started in the malware removal forum, at this time apparently no infection is present therefore the thread has been closed.

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums (http://forums.spybot.info/forumdisplay.php?f=4) General questions in the Tavern. Welcome and 'Purpose of the Tavern' (http://forums.spybot.info/showthread.php?t=187)

Update Java. Sun Microsystems~Java. Security vulnerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2)

Please go to the windows update site (http://windowsupdate.microsoft.com/) to get critical updates as it is important to update Windows and Internet Explorer to protect your computer.

As you are on the Internet you really need to get your anti virus program installed, updated and running. :)

Best regards.