Results 1 to 2 of 2

Thread: Resistant Virtumonde

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Posts
    2

    Default Resistant Virtumonde

    Greetings. I am an IT professional who is trying to help a friend with an infection of Virtumonde. It is detected by Trend Micro HouseCall, Spybot S&D, Adaware, and CA eTrust Pest Patrol. All programs take action (quarantine or delete) and have the latest definitions. I even tried manually deleting registry entries I found in a Symantec KB article. Despite all of this the popups continue to appear.

    Kaspersky's Online Scan causes IE to freeze just seconds into the scan. HJT comes up with a program error just after starting (HijackThis.exe has generated errors and will be closed...). Quite honestly I'm stumped at this point. In 10 years I've never had this much trouble with an infection. Members of this community seem to be experts at Virtumonde removal so I am anxious for advice and am ready to learn something new.

  2. #2
    Junior Member
    Join Date
    Feb 2008
    Posts
    2

    Default Update

    I was able to get HJT to run briefly. It still closed, but it did create a log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:41:47 PM, on 2/26/2008
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
    C:\Program Files\CA\eTrustITM\InoRpc.exe
    C:\Program Files\CA\eTrustITM\InoRT.exe
    C:\Program Files\CA\eTrustITM\InoTask.exe
    C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
    C:\WINNT\LogWatNT.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\CA\eTrustITM\ppcl.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\CA\eTrustITM\ppcl.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\igfxpers.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\Rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC_Logon.exe
    O4 - HKLM\..\Run: [GoToAssist Express Customer] "C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_service.exe" Start=logon
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [64e83d31] rundll32.exe "C:\WINNT\system32\seqopski.dll",b
    O4 - HKLM\..\Run: [BM67db0ead] Rundll32.exe "C:\WINNT\system32\rpkheysg.dll",s
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Search - ?p=ZRxdm429LXUS
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179929834312
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1968D17-10E5-4706-9D75-34B172ABC5C0}: NameServer = 151.197.0.38,151.201.0.38
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: GoToAssist Express Customer - Unknown owner - C:\Program Files\Citrix\GoToAssist Express Customer\61\g2ax_service.exe
    O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
    O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
    O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 5442 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •