Results 1 to 10 of 24

Thread: Suspected Virtumonde infection

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2009-04-29, 04:06 #1
    JordanW
    JordanW is offline
    Junior Member
    Join Date
    Apr 2009
    Posts
    13

    Default Suspected Virtumonde infection

    Hello all --

    I suspect that I have a lingering Virtumonde infection. A few weeks ago my computer started behaving erratically (popups, etc.) -- Spybot detected Virtumonde, and between it and AVG Antivirus I managed to clear Virtumonde out (or so I thought). However, even after re-installing Windows (on top of my current install -- no drive re-formatting) I'm still having Google search links re-directed in Firefox.

    I've now read the stickies about what to do before posting. My HJT log is pasted in below. Thanks in advance for your help.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:56:57 PM, on 4/28/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Documents and Settings\Jordan.LILYPAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Jordan.LILYPAD\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jordan.LILYPAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-1390067357-1547161642-839522115-1004\..\Run: [Google Update] "C:\Documents and Settings\Caroline.LILYPAD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Caroline')
    O4 - S-1-5-21-1390067357-1547161642-839522115-1004 User Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Caroline')
    O4 - S-1-5-21-1390067357-1547161642-839522115-1004 User Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Caroline')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1240364766266
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 5739 bytes
  2. 2009-04-29, 16:52 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi JordanW

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Double-click GooredFix.exe to run it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
    Note: Do not run Option #2 yet.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2009-04-29, 23:52 #3
    JordanW
    JordanW is offline
    Junior Member
    Join Date
    Apr 2009
    Posts
    13

    Default

    Hi Shaba,

    Thanks for your help. The GooredFix log is pasted below.

    GooredFix v1.92 by jpshortstuff
    Log created at 17:51 on 29/04/2009 running Option #1 (Jordan)
    Firefox version 3.0.10 (en-US)

    =====Suspect Goored Entries=====

    C:\Program Files\Mozilla Firefox\extensions\{FC3F3D2E-3D12-4B1B-ABA6-1C8D147538F4}

    C:\Program Files\Mozilla Firefox\extensions\{F4B69F1A-E106-4E65-9EAC-87EB6F4B9E55}

    C:\Program Files\Mozilla Firefox\extensions\{BAA8552A-EF5B-48B1-AE59-875512122F00}

    C:\Program Files\Mozilla Firefox\extensions\{B8558E8C-872E-4CAD-B882-7657AB551B9A}

    C:\Program Files\Mozilla Firefox\extensions\{A313C5BF-1E66-48DD-AB09-412E65A9E0BD}

    C:\Program Files\Mozilla Firefox\extensions\{A1E3E976-79AD-484C-B7E7-5A57FC31E75B}

    C:\Program Files\Mozilla Firefox\extensions\{96EC986A-43B1-4688-91A5-BA8366552E31}

    C:\Program Files\Mozilla Firefox\extensions\{6A1A26F3-E35A-4D4D-9963-4AA1D16A4AF4}

    C:\Program Files\Mozilla Firefox\extensions\{65B977A9-9E41-4BC0-B58D-529BB5C8E930}

    C:\Program Files\Mozilla Firefox\extensions\{46E12999-66C5-43BB-8C60-867FE4AE9CA0}

    C:\Program Files\Mozilla Firefox\extensions\{3EF098FD-9332-4B09-B99C-CC3E4A52A823}

    C:\Program Files\Mozilla Firefox\extensions\{3E4308E2-495B-4D82-9FA8-E7B71F4CC431}

    C:\Program Files\Mozilla Firefox\extensions\{1E12D67B-D47B-446E-993B-E4F58A97D499}

    C:\Program Files\Mozilla Firefox\extensions\{16C9BA60-A6A4-4522-AF8A-3AED15DBB96E}

    C:\Program Files\Mozilla Firefox\extensions\{0980978C-8D90-41D5-9D3D-11C76D7BA576}

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
  4. 2009-04-30, 06:06 #4
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please double-click GooredFix.exe on your Desktop to run it.
    • Select "2. Fix Goored" by typing 2 and pressing Enter.
    • Make sure all instances of Firefox are closed at this point.
    • Type y at the prompt and press Enter again.
    • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
    Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2009-04-30, 06:09 #5
    JordanW
    JordanW is offline
    Junior Member
    Join Date
    Apr 2009
    Posts
    13

    Default

    Thanks Shaba. I followed your instructions, which generated the following log file:

    GooredFix v1.92 by jpshortstuff
    Log created at 00:08 on 30/04/2009 running Option #2 (Jordan)
    Firefox version 3.0.10 (en-US)

    =====Goored Deletions=====
    C:\Program Files\Mozilla Firefox\extensions\{FC3F3D2E-3D12-4B1B-ABA6-1C8D147538F4}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{F4B69F1A-E106-4E65-9EAC-87EB6F4B9E55}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{BAA8552A-EF5B-48B1-AE59-875512122F00}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{B8558E8C-872E-4CAD-B882-7657AB551B9A}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{A313C5BF-1E66-48DD-AB09-412E65A9E0BD}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{A1E3E976-79AD-484C-B7E7-5A57FC31E75B}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{96EC986A-43B1-4688-91A5-BA8366552E31}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{6A1A26F3-E35A-4D4D-9963-4AA1D16A4AF4}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{65B977A9-9E41-4BC0-B58D-529BB5C8E930}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{46E12999-66C5-43BB-8C60-867FE4AE9CA0}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{3EF098FD-9332-4B09-B99C-CC3E4A52A823}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{3E4308E2-495B-4D82-9FA8-E7B71F4CC431}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{1E12D67B-D47B-446E-993B-E4F58A97D499}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{16C9BA60-A6A4-4522-AF8A-3AED15DBB96E}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.
    C:\Program Files\Mozilla Firefox\extensions\{0980978C-8D90-41D5-9D3D-11C76D7BA576}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
  6. 2009-04-30, 06:11 #6
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules