Virtumonde

[dannyboy]

Well as a new user to this forum so I could get some help, I can read that this trojan is common now.

I've seemed to have got this about 2 days ago. I have used the internet since finding it, not thinking it was that hard to get out of my system with my spybot if I retried when I had time, but it just won't go (as well as new viruses each time, which can get wiped though when I re-scan on spybot - not sure if virtumonda is causing them each time).

Firstly...should I NOT be using the internet on IE at all then? (shall I physically unplug from the back? - apart from when I'm on here? or do i go into safemode somehow?).

Secondly just to clarify for you the virus it detected on spybot was virtumonde.dll (more specifically - C:\WINDOWS\system32\vturo.dll).

I'm not very good with computers or knowledgable so any simple precise steps for me to take would be most grateful (why I created a new thread so hope it is ok given I saw Ken helping others beforehand).

Your help would be muchly appreciated because I do a lot of work from home and my system is so slow and timeconsuming becuase of this trojan. :(

Regards,

Dan

[dannyboy]

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:55:27, on 26/01/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msrr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [{603626BA-0708-2057-0913-02091320002c}] "C:\Program Files\Common Files\{603626BA-0708-2057-0913-02091320002c}\Update.exe" mc-110-12-0001411
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/eng/roulette_2_0_0_17.cab
O16 - DPF: {3C38DEE8-BE1A-4DEC-B232-2C78706CC7EA} - http://ps.itv.mop.com/update/update/....10-signed.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/169b2c16...p/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_39.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/eng/billard9_2_0_0_30.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_34.cab
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCast....94_signed.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8125 bytes

[dannyboy]

Kapersky log report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 26, 2008 7:53:20 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/01/2008
Kaspersky Anti-Virus database records: 533507
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 127320
Number of viruses found: 2
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:29:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\d\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\d\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\d\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\d\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\d\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\d\ntuser.dat Object is locked skipped
C:\Documents and Settings\d\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP879\A0219352.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP879\A0219353.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP879\A0219354.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP879\A0219355.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP926\A0225790.exe Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP932\A0226113.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP932\A0226113.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP932\A0226114.exe Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP933\A0226158.dll Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP933\A0226159.dll Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP933\A0226160.exe Object is locked skipped
C:\System Volume Information\_restore{A7F8C949-A2DD-4DC1-A889-5E88E559A9BB}\RP933\change.log Object is locked skipped
C:\sysxxdv.exe Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\PerfomanceOptimizerPre_Installer.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe/stream/data0013 Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe/stream/data0014 Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe/stream/data0038 Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe/stream/data0040 Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe/stream Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Downloaded Program Files\PerformanceoptimizerFreeSetup[1].exe NSIS: infected - 5 skipped
C:\WINDOWS\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\WINDOWS\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5517.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\tmp00002280\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

[dannyboy]

Hi there. I've posted the HJT log and Kaspersky log as stated.

Just wondering if anyone could help on what I should do next. I was going to something myself after looking at different peoples posts but wasn't sure whether to rename the hiJackthis exe file or use Combofix as the next step? (as maybe there is a different solution to each person.

Any help would be much appreciated.

Dan

[Blade81]

Hi

Check post #4 of Before you post topic and install service pack 1a according to instructions there. Post a fresh hjt log when ready.

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.