Results 1 to 3 of 3

Thread: Please help with Vundo, Virtumonde trojan!

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Unhappy Please help with Vundo, Virtumonde trojan!

    Running Malwarebytes´Anti-Malware found a Trojan.Vundo and Trojan.Vundo.H. Malwarebytes software claimed that it removed them.

    Running Spybot S&D after that did find 10 Virtumonde objects(different variations) and a Smitfraud. I fixed the objects with Spybot.

    Now it takes forever to shut down windows and explorer.exe cant´t end at shutdown, plus I can´t turn on automatic windows updates and firewall is not on for some time after I boot the pc. How do I get totally rid of Virtumonde? I´ve never had problems with trojans til now. Having problem for two days now, starting with browsers trying to connect to www.liveantiviruspccheck.com(never connected) and :

    IE 8 has got some weird BHOs named Zone Game DLL - Checkers (not verified as Microsofts) and my Spybots resident shield is prompting frequently to allow weird objects to add in startup and as BHO. I´ve put some weird dll objects to Avast´s garantine chest - awtrOgfD.dll, efcYPGVl.dll, klsaycxh.dll, uadvrpvu.dll, all found in system32. What are those? Are those needed o run Windows?
    Avast itself garantined files UADVRPVU.DLL and qoMcywxx.dll, both located in system32.

    What are following objects that I see in my software Autoruns? :

    awtrogfd.dll Zone Game DLL - Checkers (Not verified) Microsoft Corporation c:\windows\system32\awtrogfd.dll (under explorer shellExecuteHooks)

    {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} Zone Game DLL - Checkers (Not verified) Microsoft Corporation c:\windows\system32\awtrogfd.dll (under explorer BHO)

    {DDA314AC-3EE0-466B-AED1-16263A7F03A0} Zone Game DLL - Checkers (Not verified) Microsoft Corporation c:\windows\system32\efcypgvl.dll (under explorer BHO)

    awtrOgfD Zone Game DLL - Checkers (Not verified) Microsoft Corporation c:\windows\system32\awtrogfd.dll (under winlogon\notify)

    C:\WINDOWS\system32\efcYPGVl Zone Game DLL - Checkers (Not verified) Microsoft Corporation c:\windows\system32\efcypgvl.dll (under Lsa\ Authentication packages)

    I´ve been unchecking them in Autoruns to prevent them from running at startup but they are prompting me through Tea timer to add them back and they are always back when I reboot whether I allow or not them in Spybot shield.:(
    What are these? Please help! I´ve never delt with trojans. Thank you in advance! Here´s my copied HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:55:37, on 31/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18241)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avast4\aswUpdSv.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\etnkl\ETNKL.exe
    C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Avast4\ashMaiSv.exe
    C:\Program Files\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.neti.ee/proxy.pac
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
    O3 - Toolbar: (no name) - {6AE02E1C-8859-4F57-9097-5A55A56A4CAF} - (no file)
    O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [EstEID AIP switch] "C:\Program Files\IT Arendus\ID-kaart\aipswitch.exe" 1
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKLM\..\Run: [MSRegScan] C:\Program Files\etnkl\ETNKL.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-583907252-602162358-1801674531-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'postgres')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: 3D!Turbo Experience.lnk = C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&kspordi Microsoft Excelisse - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: (no name) - {F4430FE8-2638-42e5-B849-800749B94EED} - (no file)
    O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} (Detect Class) - https://installer.id.ee/IDInstaller.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.eha.ee/eelk/p11/eelk/ScriptX.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {506AC62C-F7C4-4869-B8BB-9344AB3E5561} (QCapsule Class) - https://demo.valimised.ee/evotein.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150653869343
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150653971781
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.werro.ee/activex/AxisCamControl.ocx
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...CX/flashax.cab
    O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6B2DBA42-9CEB-4A11-A17D-065485508983}: NameServer = 81.21.240.1,81.21.255.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

    --
    End of file - 9328 bytes

  2. #2
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Unhappy Edit to previuos message...

    There´ s a link in my message above to www.liveantivirus.... Please do not follow that!

    I just found out I can´t edit my message..:(

    Sorry!

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    3

    Default Please! Can someone tell me whether these files are malware or not?!

    Are these files belonging to Microsoft? -

    C:\WINDOWS\system32\lVGPYcfe.ini (I´m not sure in that l-letter in the file name)

    C:\WINDOWS\system32\lVGPYcfe.ini2

    C:\WINDOWS\system32\efcYPGVl.dll

    C:\WINDOWS\system32\uadvrpvu.dll

    C:\WINDOWS\system32\awtrOgfD.dll

    Thanks in advance!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •