Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.monder And Virtumonde.zlb Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 bpurvis1

bpurvis1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 17 July 2008 - 10:12 AM

I've been working on this infection for the last 2 days to no avail. :thumbsup: I've downloaded all types of "fixers" and none of them even detect the virus. The only thing that has detected it is Spybot and my anti-virus McAffee (but it stopped detecting it yesterday). I have the Kaspersky log and a hijack this log below. Please help!!

Kaspersky Log

Thursday, July 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 17, 2008 13:47:14
Records in database: 963176


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Richard\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 25183
Threat name 2
Infected objects 21
Suspicious objects 0
Duration of the scan 00:17:16

File name Threat name Threats count
C:\WINDOWS\system32\lkjyuwry.dll//UPX/C:\WINDOWS\system32\lkjyuwry.dll//UPX Infected: Trojan.Win32.Monder.gen 6

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080711-083340-817.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zlb 1

C:\Program Files\Trend Micro\HijackThis\backups\backup-20080711-095947-811.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zlb 1

C:\WINDOWS\system32\dcxdoiao.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\drbtco.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\fwrvlaek.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\idgkrt.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\jcepmd.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\kvwgbs.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\lkjyuwry.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\lqabvmgp.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\odpwgfmg.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\opnmKCRk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.zlb 1

C:\WINDOWS\system32\ospxupmy.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\ozlhck.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\tnqpprxf.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.


HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:49 AM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {3FE89575-CB24-423D-8A40-81F9EFDDFB8B} - C:\WINDOWS\system32\jkkLEXNe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {829E2F0A-A7B5-4886-9180-0BA1CB432D6E} - C:\WINDOWS\system32\ljJBtqNH.dll (file missing)
O2 - BHO: (no name) - {E86C71AA-A4D0-468B-B3B0-8F337BB8842E} - C:\WINDOWS\system32\iifFUkHy.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [9ccf9af5] rundll32.exe "C:\WINDOWS\system32\lkjyuwry.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe

--
End of file - 3934 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 18 July 2008 - 11:31 PM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following..

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 06 August 2008 - 08:28 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users