Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Had Virtumonde, But I Think I Got Rid Of It


  • This topic is locked This topic is locked
15 replies to this topic

#1 numskully

numskully

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 08 June 2008 - 08:56 AM

Can someone check my Hijackthis file? I ran several online virus scanners, Norton AV 2002, Spyware Doctor and Norton's FixVundo. And how did Virtumonde run, seeing I do not have Java installed?

thanks!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:41 AM, on 6/8/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DKZNOTE\DKZNOTE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - .DEFAULT Startup: DK Notes.lnk = C:\Program Files\DKZNOTE\dkznote.exe (User 'Default user')
O4 - Startup: DK Notes.lnk = C:\Program Files\DKZNOTE\dkznote.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...312/mcfscan.cab

--
End of file - 3235 bytes

BC AdBot (Login to Remove)

 


m

#2 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 09 June 2008 - 05:37 PM

Anyone have help?

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 16 June 2008 - 09:48 PM

Hello numskully. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
See you soon,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 17 June 2008 - 12:52 AM

Thanks for your time!

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 17 June 2008 - 03:52 PM

Hello, numskully.

Vundo's typical infection routine does attack outdated Java installations. However, your system does have Java installed. It's just not Sun's version of Java. Windows ME systems ship with the Microsoft Java Virtual Machine. Also, Vundo's own infection method attacks Java, but it is possible another trojan or rogue installed Vundo.

You should be aware that you are using an outdated and insecure operating system.
According to your log, you are using Windows 9x. Windows 9x (That is, Windows 95, Windows 98, and Windows ME) is no longer supported by Microsoft. This means, that if bugs or security problems are discovered in the operating system, it is impossible to close the holes. This system will very likely be infected again. For more information, you should see Microsoft's End of Support Notice.

It is recommended to either retire this system from service, or to install a more secure operating system such as Ubuntu Linux or Windows XP

This system is vulnerable to all Windows and Internet Explorer holes discovered after July 11, 2006!

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please reply with the Kaspersky log.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 17 June 2008 - 07:03 PM

Thanks very much for the Java info! Didn't know it was on my computer, from the winME install.

I tried the Kaspersky WebScanner on Firefox and IE, and it said it wasn't compatible. Looks like it doesn't work with winME. Should I use another browser scanner?

thanks

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 17 June 2008 - 07:11 PM

Hello numskully.

Try installing Java from here:
http://www.java.com/en/download/windows98me_manual.jsp

and then re-running those instructions.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 18 June 2008 - 11:49 AM

I get the error- OS type: Windows Me on IE and Firefox. Kaspersky will not work on winME. Any other scanner to try?

#9 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 20 June 2008 - 01:51 PM

Help please!

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 20 June 2008 - 03:36 PM

Sorry for the delay. We have been having a problem finding tools that still work on win9x :thumbsup:

I will be replying shortly :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 21 June 2008 - 12:02 AM

Sorry I have an outdated OS. Thanks for taking the time though!

Keep me updated.

Edited by numskully, 21 June 2008 - 12:03 AM.


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 21 June 2008 - 03:37 PM

Hello, Numskully.

Sorry for the delay. We have been having a problem finding tools that still work on win9x :thumbsup:

Lets try this one:
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

We need to run a system scan with Dr. Web CureIt
  • Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 22 June 2008 - 03:45 PM

mirc.exe;C:\Program Files\mIRC;Program.mIRC.623;Deleted.;



I did some research on Program.mIRC.623 and I don't think I actually had it. My registry was not modified and I had no problems with mIRC. And the files it was supposed to create was not on my hard drive. So does my comp look clean? Is Virtumonde a problem anymore?

thanks Billy3!

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:10 AM

Posted 24 June 2008 - 08:12 AM

Numskully, you now appear to be clean. Congratulations!

If you used the mIRC Internet Relay Chat client, you may have to reinstall it from here: http://www.mirc.com/ in order for that program to operate correctly. If, on the other hand, you don't use IRC, you can ignore this line :thumbsup:

We need to clean up our tools.
You can delete the Dr.Web CureIT program from your system if you like.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
Your machine was not infected.

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    Click Start> settings> control panel
    Double click "system" (you may need to click "View all control panel options" to see it.
    On the "performance" tab click File System
    On the "troubleshooting" tab click Disable system restore
    Click OK

    Reboot when prompted.

    Go back and re-enable restore by UNchecking "disable system restore"
    Hit OK

    Reboot when prompted.

    New restore point is created at this time. You will not be able to restore computer to any earlier than today.
    :)
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :thumbup2:
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :spacer:
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :spacer:
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 numskully

numskully
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 24 June 2008 - 09:56 AM

Thanks so much Billy3! I appreciate you help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users