Results 1 to 4 of 4

Thread: murlo and virtumonde help please

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Posts
    18

    Default murlo and virtumonde help please

    I sure hope I am doing this correctly, but I need help with removing these tow items. My daughter filled her Dell PC with malware, trojans and the like. I have removed all but the two mentioned in the title of this post. I have run the spybot, avast, and system suite 8 several times to a point where I believe the machine is happy. Because of the Murlo.ff.rtk thing - the computer is denied internet access. (The virtumonde says it is fixed but will show up again if I cold boot the machine and re-run spybot.

    I have run the HJT:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:17:05 PM, on 2/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
    C:\WINDOWS\system32\FAF701FEFE04F.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
    C:\Program Files\NETGEAR\WN121T\wn121t.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    c:\program files\common files\installshield\updateservice\isuspm.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\khfddbx.dll (file missing)
    O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
    O2 - BHO: (no name) - {1CCBED22-84E7-4273-B826-DAFD422AF7FF} - C:\WINDOWS\system32\geede.dll (file missing)
    O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
    O2 - BHO: (no name) - {312366D1-3DDE-44EF-B3EF-EFB128167314} - (no file)
    O2 - BHO: (no name) - {338A37DF-FA08-4049-AADC-E01CEF78F5DB} - (no file)
    O2 - BHO: (no name) - {3469F879-054E-4682-967E-164B43B3919B} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {4E5992DF-B503-4F2D-BD49-569B66677DA0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: {5f21b25d-988f-ed7a-50f4-93075a1f6ca8} - {8ac6f1a5-7039-4f05-a7de-f889d52b12f5} - C:\WINDOWS\system32\uawjapve.dll
    O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
    O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - supstar1.dll (file missing)
    O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
    O2 - BHO: (no name) - {A4F3A2F7-1CB3-401D-8EF0-8E473D947728} - (no file)
    O2 - BHO: (no name) - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
    O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
    O2 - BHO: (no name) - {C2FDB7B2-8158-4F6C-B676-F2D2631DF727} - C:\Program Files\Outlook Express\vuci89104.dll
    O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
    O2 - BHO: (no name) - {d839110c-391d-44c2-b8f1-98f266dd4f48} - C:\WINDOWS\system32\qwwibqa.dll
    O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
    O2 - BHO: (no name) - {DEF42F68-71D1-4BA7-B68C-5189ECC35AAE} - (no file)
    O2 - BHO: (no name) - {E457D91C-CB08-401D-8579-B74250153145} - (no file)
    O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - (no file)
    O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
    O2 - BHO: (no name) - {EA816D6E-27B7-4FB3-8912-171D23928D3A} - (no file)
    O2 - BHO: (no name) - {F4E48E29-6D2D-4FDF-B818-2298E3263E7B} - (no file)
    O2 - BHO: (no name) - {F909CFA4-13E5-4E9D-8D45-7C72345D8596} - (no file)
    O2 - BHO: (no name) - {FACA67CB-6421-4179-909F-5B46C2DB1180} - (no file)
    O2 - BHO: (no name) - {FCB9CE86-FE5A-4EF1-B641-EBB779621D7E} - (no file)
    O2 - BHO: (no name) - {FD14C570-C450-4498-A294-57B53E0EE593} - (no file)
    O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2314] command /c del "C:\WINDOWS\Temp\startdrv.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC1669] cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - HKCU\..\RunOnce: [SpybotDeletingB1731] command /c del "C:\WINDOWS\Temp\startdrv.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8452] cmd /c del "C:\WINDOWS\Temp\startdrv.exe"
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [SpySweeper] (User '?')
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
    O4 - HKUS\S-1-5-21-3028355049-4064157817-348378932-1006\..\RunOnce: [SpybotDeletingB1731] command /c del "C:\WINDOWS\Temp\startdrv.exe" (User '?')
    O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: khfddbx - khfddbx.dll (file missing)
    O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10958 bytes


    Kapersky log to follow

    Bill

  2. #2
    Junior Member
    Join Date
    Feb 2008
    Posts
    18

    Default Problems with Kapersky log

    Virtumonde: [SBI $423524991 User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3028355049-4064157817-348378932-1006\Software\Microsoft\rdfa
    Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
    HKEY_LOCAL_MACI-IINE\SOFTWARE\Microsoft\aoprndtws
    Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3028355049-4064157817-348378932-1006\Software\Microsoft\aldd
    Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Autorun settings (startdrv) (Registry value, fixing failed) HKEY_LOCAL_MACHINE\SOFflNARE\Microsoft\Windows\CurrentVersion\Run\startdrv
    Win32.Murlo.ff.rtk: [SBI $DBD08A4A] Program file (File, fixed)
    C:\WINDOWS\Temp\startdrv.exe
    Spybot - Search & Destroy version: 1.5 (build: 20070830)
    2007-08-31 blindman.exe (1.0.0.6)
    2007-08-31 SDMain.exe (1.0.0.4)
    2007-08-31 SDUpdate.exe (1.0.6.4)
    2007-08-31 SDWinSec.exe (1.0.0.8)
    2007-08-31 SpybotSD.exe (1.5.1.15)
    2007-08-31 TeaTimer.exe (1.5.0.9)
    2007-11-16 unins000.exe (51.46.0.0)
    2007-08-31 Update.exe (1.4.0.5)
    2007-08-31 advcheck.dll (1.5.3.0)
    2007-04-02 aports.dlI (2.1.0.0)
    2007-04-02 DelZipl79.dIl (1.79.5.3)
    2007-08-31 SDHelper.dll (1.5.0.8)
    2007-08-31 Tools.dll (2.1.2.0)
    2007-12-12 Includes\Cookies.sbi (*)
    2007-10-31 Includes\Dialer.sbi (<)
    2007-12-12 Includes\DialerC.sbi (*)
    2007-11-07 Includes\Hijackers.sbi (<)
    2007-12-12 Includes\HijackersC.sbi (*)
    2007-10-04 Includes\Keyloggers.sbi (K)
    2007-12-12 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2007-11-07 Includes\Malware.sbi (9
    2007-12-12 Includes\MalwareC.sbi (K)
    2007-10-24 Includes\PUPS.sbi (9
    2007-12-12 Includes\PUPSC.sbi (K)
    2007-12-12 Includes\Revision.sbi (*)
    2007-05-30 Includes\Security.sbi (9
    2007-12-12 Includes\SecurityC.sbi (9
    2007-11-07 Includes\Spybots.sbi (*)
    2007-12-12 Includes\SpybotsC.sbi (9
    2007-11-06 Includes\Tracks.uti
    2007-12-12 Includes\Trojans.sbi (9
    2007-12-12 Includes\TrojansC.sbi (*)
    2008-12-24 Plugins\TCPIPAddress.dIl


    I was reading through other members whom you have helped and I noticed that you handle each case individually...is there no universal procedure to remove these things?

    Also, for what it is worth, it takes quite a while for the computer to start Spybot.

    If it helps, I am fairly well versed in DOS if anyone still uses it!

    Bill

  3. #3
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    1. Download this file -
    combofix.exe to your desktop.
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your
    next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause
    it to stall


    I was reading through other members whom you have helped and I noticed that you handle each case individually...is there no universal procedure to remove these things?
    No, in these cases there's no universal procedure to removing.
    Microsoft Windows Insider MVP 2016
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #4
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •