Results 1 to 8 of 8

Thread: Help removing Virtumonde and others

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    4

    Unhappy Help removing Virtumonde and others

    9/10 I'm overly careful with what I download and always run NOD32 on files before extracting, however this time NOD32 failed me, and with the leak came loads of garbage. I have HijackThis, Spybot and Malwarebytes Anti-Malware installed and I'm ready for assistance. Please help me take this garbage to the curb! ~Jerry

    Stuff I'm finding with Spybot and Malwarebytes:

    Product: Win32.Banker.aipy.rtk
    Threat: Trojan
    2 entries Trojans

    Product: Virtumonde.Dll
    Threat: Trojan
    6 entries TrojansC

    --------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:58:19 AM, on 7/30/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: fdkowvbp - {7EB73DDA-FC6B-4064-8B30-89E6AE779699} - C:\WINDOWS\fdkowvbp.dll (file missing)
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA4818] command /c del "C:\WINDOWS\system32\nnnLeday.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3761] cmd /c del "C:\WINDOWS\system32\nnnLeday.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB1962] command /c del "C:\WINDOWS\system32\nnnLeday.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD5515] cmd /c del "C:\WINDOWS\system32\nnnLeday.dll"
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5020 bytes

    --------------------

    AMalwarebytes' Anti-Malware 1.23
    Database version: 1008
    Windows 5.1.2600 Service Pack 3

    2:20:56 AM 7/30/2008
    mbam-log-7-30-2008 (02-20-52).txt

    Scan type: Quick Scan
    Objects scanned: 43572
    Time elapsed: 2 minute(s), 14 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 3
    Registry Keys Infected: 9
    Registry Values Infected: 5
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    C:\WINDOWS\system32\lanmanwrk.exe (Backdoor.Qmop) -> No action taken.

    Memory Modules Infected:
    C:\WINDOWS\system32\ljJYrsPj.dll (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\nnnLeday.dll (Trojan.Vundo) -> No action taken.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5601ccea-3ae6-4af9-a880-fe2e75b7e0c7} (Trojan.Vundo) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{5601ccea-3ae6-4af9-a880-fe2e75b7e0c7} (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.BHO) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.BHO) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnleday (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmandrv (Rootkit.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmandrv (Rootkit.Agent) -> No action taken.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb1962 (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5515 (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga4818 (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3761 (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.Vundo) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyrspj -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjyrspj -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\ljJYrsPj.dll (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\jPsrYJjl.ini (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\jPsrYJjl.ini2 (Trojan.Vundo) -> No action taken.
    C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\lanmanwrk.exe (Backdoor.Qmop) -> No action taken.
    C:\WINDOWS\system32\nnnLeday.dll (Trojan.BHO) -> No action taken.
    C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\qmopt.dll (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\lanmandrv.sys (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\drivers\Winva83.sys (Rootkit.Agent) -> No action taken.

  2. #2
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Hello and welcome to Safer Networking.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


    I will be back as soon as possible with your first instructions!
    Malware Removal University Master
    Member of ASAP & UNITE

  3. #3
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    While I'm helping you, please post all HiJackThis Logs I ask for in Normal Mode, not Safe Mode. Thanks.


    Step # 1 Download CCleaner

    Download CCleaner from here to clean temp files from your computer.
    • Double click on the ccsetup.exe file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location.
    • Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
    • Click Install then finish to complete installation.




    Step # 2 Retrieve the Installed Programs List from CCleaner

    Open CCleaner if it's not already running.
    In the Left Pane, click Tools
    Verify that Uninstall is highlighted in color, or click on it.
    In the lower Right, click Save to Text File.
    Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
    You can leave the filename as install.txt
    Click Save
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.



    Step # 3: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Be sure to save ComboFix.exe to your Desktop

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleaning the system:

    CCleaner Install List
    C:\ComboFix.txt
    New HijackThis log.



    Use multiple posts if you can't fit everything into one post.
    Malware Removal University Master
    Member of ASAP & UNITE

  4. #4
    Junior Member
    Join Date
    Jul 2008
    Posts
    4

    Thumbs up

    Quote Originally Posted by km2357 View Post
    Hello and welcome to Safer Networking.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.
    Thanks, km2357. As soon as I return home from the office this evening (7pm EST), I will post my HiJackThis Logs (in normal mode of course) and begin working with you.

    Thank you in advance for your assistance.

    Jerry

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    4

    Default

    I decided to take the long way home and do a clean install.

    Sorry, I just wanted to be extra safe.

  6. #6
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    That's perfectly fine and thanks for letting me know.

    Here are some tips to help clean your computer clean of spyware/malware in the future:

    Make your Internet Explorer more secure This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it asks you if you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.

    Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
      Computer Safety on line Anti Malware
    • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
      1. Click the start button on the task bar at the bottom of your screen
      2. Click run
      3. In the dialog box, type services.msc
      4. hit enter, then locate dns client
      5. Highlight it, then doubleclick it.
      6. On the dropdown box, change the setting from automatic to manual.
      7. Click ok..
    • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    • Please read Tony Klein's excellent article: How I got Infected in the First Place
    • Please read Understanding Spyware, Browser Hijackers, and Dialers
    • Please read Simple and easy ways to keep your computer safe and secure on the Internet
    • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
      Opera.
      If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
    • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
    Follow these steps and your potential for being infected again will reduce dramatically.

    Here's a good website to read about Malware prevention:

    http://users.telenet.be/bluepatchy/m...revention.html

    Good luck!


    Please reply one last time so that I know you have read my post and this thread can be closed.
    Malware Removal University Master
    Member of ASAP & UNITE

  7. #7
    Junior Member
    Join Date
    Jul 2008
    Posts
    4

    Default

    Thank you for the extra pointers. I just set the correct options you suggested for "Set correct settings for files that should be hidden in Windows XP ".

    I will also bookmark this forum/thread and heed your advice!

    Thanks again.

  8. #8
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    You're welcome. I'm glad I was able to help out.
    Malware Removal University Master
    Member of ASAP & UNITE

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •