Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Virtumonde?


  • This topic is locked This topic is locked
1 reply to this topic

#1 psyl0cibe

psyl0cibe

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 November 2007 - 03:12 AM

Edit: Problem solved with ComboFix
Hey,
I was recently infected with Virtumonde from some website and deleted most relevant registry entries to the file sstqq.dll and and qqtss.ini in windows\system32 folder. I can't delete the file sstqq.dll which is located in windows/system32 after trying to use KillBox, DeleteFXPFiles, and adding some delete command to autoexec.bat in C. I tried using VundoxFix.exe and VirtumundoBeGone.exe to remove it completely but both have failed. VirtumundoBeGone had some slight success in detecting and removing it, but since I deleted all the registry entries with sstqq.dll or removed sstqq.dll from necessary entries it didn't detect it. Here is a log from the VirtumundoBeGone.exe and a HiJack this log. Also, there was an item in HiJack this before related to sstqq.dll and i clicked it and checked fix and it's gone now, but sstqql.dll is still unable to be deleted. Please someone tell me how I can get rid of the rest of Virtumundo. What do I need to do to get rid of the sstqq.dll file and how do i unassociate it with the svchost.exe and lsass.exe processes?

VBG Log
[11/02/2007, 3:30:04] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\psyl0\Desktop\VirtumundoBeGone.exe" )
[11/02/2007, 3:30:10] - Detected System Information:
[11/02/2007, 3:30:10] - Windows Version: 5.1.2600, Service Pack 2
[11/02/2007, 3:30:10] - Current Username: psyl0(Admin)
[11/02/2007, 3:30:10] - Windows is in SAFE mode with Networking.
[11/02/2007, 3:30:10] - Searching for Browser Helper Objects:
[11/02/2007, 3:30:10] - BHO 1: {0684
9E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/02/2007, 3:30:10] - BHO 2: {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30} ()
[11/02/2007, 3:30:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/02/2007, 3:30:10] - Checking for HKLM\...\Winlogon\Notify\qomlihe
[11/02/2007, 3:30:10] - Found: HKLM\...\Winlogon\Notify\qomlihe - This is probably Virtumundo.
[11/02/2007, 3:30:11] - Assigning {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30} MSEvents Object
[11/02/2007, 3:30:11] - BHO list has been changed! Starting over...
[11/02/2007, 3:30:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/02/2007, 3:30:11] - BHO 2: {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30} (MSEvents Object)
[11/02/2007, 3:30:11] - ALERT: Found MSEvents Object!
[11/02/2007, 3:30:11] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/02/2007, 3:30:11] - BHO 4: {B02062F0-ABCA-40F8-BD67-8299AFFA57D9} ()
[11/02/2007, 3:30:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/02/2007, 3:30:11] - Checking for HKLM\...\Winlogon\Notify\sstqq
[11/02/2007, 3:30:11] - Key not found: HKLM\...\Winlogon\Notify\sstqq, continuing.
[11/02/2007, 3:30:11] - Finished Searching Browser Helper Objects
[11/02/2007, 3:30:11] - *** Detected MSEvents Object
[11/02/2007, 3:30:11] - Trying to remove MSEvents Object...
[11/02/2007, 3:30:12] - Terminating Process: IEXPLORE.EXE
[11/02/2007, 3:30:12] - Terminating Process: RUNDLL32.EXE
[11/02/2007, 3:30:12] - Disabling Automatic Shell Restart
[11/02/2007, 3:30:12] - Terminating Process: EXPLORER.EXE
[11/02/2007, 3:30:12] - Suspending the NT Session Manager System Service
[11/02/2007, 3:30:12] - Terminating Windows NT Logon/Logoff Manager
[11/02/2007, 3:30:12] - Re-enabling Automatic Shell Restart
[11/02/2007, 3:30:12] - File to disable: C:\WINDOWS\system32\qomlihe.dll
[11/02/2007, 3:30:12] - Renaming C:\WINDOWS\system32\qomlihe.dll -> C:\WINDOWS\system32\qomlihe.dll.vir
[11/02/2007, 3:30:12] - File successfully renamed!
[11/02/2007, 3:30:12] - Removing HKLM\...\Browser Helper Objects\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}
[11/02/2007, 3:30:12] - Removing HKCR\CLSID\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}
[11/02/2007, 3:30:12] - Adding Kill Bit for ActiveX for GUID: {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}
[11/02/2007, 3:30:12] - Deleting ATLEvents/MSEvents Registry entries
[11/02/2007, 3:30:12] - Removing HKLM\...\Winlogon\Notify\qomlihe
[11/02/2007, 3:30:12] - Searching for Browser Helper Objects:
[11/02/2007, 3:30:12] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[11/02/2007, 3:30:12] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/02/2007, 3:30:12] - BHO 3: {B02062F0-ABCA-40F8-BD67-8299AFFA57D9} ()
[11/02/2007, 3:30:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/02/2007, 3:30:12] - Checking for HKLM\...\Winlogon\Notify\sstqq
[11/02/2007, 3:30:12] - Key not found: HKLM\...\Winlogon\Notify\sstqq, continuing.
[11/02/2007, 3:30:12] - Finished Searching Browser Helper Objects
[11/02/2007, 3:30:12] - Finishing up...
[11/02/2007, 3:30:12] - A restart is needed.
[11/02/2007, 3:30:24] - Attempting to Restart via STOP error (Blue Screen!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:50 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\psyl0\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Program Files\RivaTuner v2.0 RC 16\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\psl0\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\psl0\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/instal...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9021 bytes
Edit: I just downloaded and ran combofix and surprisingly it fixed it.

ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cmthvlrg.dll
C:\WINDOWS\system32\grlvhtmc.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\xrxiyghe.dll

Edited by psyl0cibe, 02 November 2007 - 03:34 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:59 PM

Posted 02 November 2007 - 04:33 AM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users