Virtumonde, Virtumonde.Generic & possible others

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply, along with a new HijackTHis log & a description of any remaining problems.
  • Click Close to exit the program.
 
Scan Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/01/2007 at 01:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 01:03:37

Memory items scanned : 404
Memory threats detected : 0
Registry items scanned : 4364
Registry threats detected : 0
File items scanned : 32193
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Home\Cookies\home@pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@protect.spyguardpro[1].txt
C:\Documents and Settings\Home\Cookies\home@shop.pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@privacy.pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@2440[3].txt
C:\Documents and Settings\Home\Cookies\home@spyguardpro[2].txt
C:\Documents and Settings\Home\Cookies\home@2440[2].txt

Adware.Vundo-Variant
C:\PROGRAM FILES\ANTISPYWARE\ANALYSETRENDMICRO\BACKUPS\BACKUP-20071119-180519-694.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222531.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222539.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP66\A0224286.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222526.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222527.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222528.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222530.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222533.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222535.DLL


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:08:22, on 01/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiSpyware\Super\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\AntiSpyware\Super\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\AntiSpyware\Super\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


No remaining problems that I can see, pop-ups have disappeared again
 
You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  2. Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  3. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  4. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  5. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  6. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  7. Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  8. Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  9. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  10. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
 
Thank you so much for your help, can't tell you how much I appreciate it!

One last question, I ran the Eset Online Scan again, just to be sure, and this came up:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2701 (20071204)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=61d481c885ca9d41bd835a2893012679
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-04 04:14:20
# local_time=2007-12-04 04:14:20 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=124664
# found=22
# scan_time=2597
C:\qoobox\Quarantine\C\VundoFix Backups\mllmj.dll.bad.vir Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\qoobox\Quarantine\C\VundoFix Backups\omhqanwm.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\VundoFix Backups\uxqpxzwe.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\VundoFix Backups\yqmcdgkx.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\akfjqglo.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\grsgayuw.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\iamwuxck.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\juylnkhk.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\klpslxwy.dll.vir Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\qoobox\Quarantine\C\WINDOWS\system32\kqahcerr.dll.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\krvblvqd.dll.vir Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\qoobox\Quarantine\C\WINDOWS\system32\lxuqonob.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\mxebflmn.dll.vir Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\qoobox\Quarantine\C\WINDOWS\system32\omhqanwm.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\omtyuewt.dll.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\rjtvddma.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\sinngdqn.dll.vir Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\qoobox\Quarantine\C\WINDOWS\system32\wasurmfl.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xajurjpa.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xhhfrlhf.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xhjuusfx.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\zzpdkrxg.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829

Those files are safe now aren't they? Not a threat?
 
All the files it found were in C:\qoobox\. That's the quarantine folder for combofix, and so you can delete it.
 
You must log in or register to reply here.
Back
Top