Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
1 reply to this topic

#1 Apocalypse_666

Apocalypse_666

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Amsterdam, The Netherlands
  • Local time:11:08 AM

Posted 11 September 2008 - 01:16 PM

Okay, I'm having some major problems. My brother's pc was infected with Virtumonde (I believe) not too long ago. I used a system restore point, and everything was gone, but I forgot to delete the older/newer restore points, so I guess this infection was still slumbering somewhere inside the system.
The syptoms are quite severe: when starting up normally, almost three quarters of the usual icons have vanished, and two or three new icons apperantly belonging to some virus/malware removal tools have popped up. They're not icons but url's however, which I haven't clicked on off course. I'm afraid I'm not sure exactly what they were called seeing as I deleted them asap.
Next to that, it is (almost) impossible to open either the explorer or the task manager, as it gives a prompt saying something like: "the administrator has locked the task manager/explorer". Furthermore, in the right bottom corner it says in capitals VIRUS WARNING, and every once in a while a pop-up comes up saying I'm infected blablaba.

So, here's what I tried myself:
First of all, my brother ran both Ad-Aware, AVG and Spybot S&D. They found something, but I wasn't there, so my brother clicked Fix, which it obviously didn't do very adequately. Then I got home and tried some things. I booted up into safe mode and ran HJT. I know a little about reading these logs, so I researched all the entries and deleted the files that were obviously malware-related and fixed their entries. However, on restarting the infection was still there. I rebooted into safe-mode, ran hijackthis again, and saw that the entries were still there, but now with the message (file missing) behind it.
Then, I ran both Add-Aware and AVG in safe mode (seeing as I can't do anything in normal mode). Add-Aware found Virtumonde, which is why I believe this is the infection we're dealing with. Off course, it was unable to remove it properly.
Then I followed the virtumonde tutorial on this site, running both Vundofix and Virtumondebegone. You can guess for yourself, it's still there.
So, I'm kind of at a dead end now, and I was hoping one of you guys could save my butt!

Oh, one last hint. When I start up in normal safe mode there is no sign of the infection, but when I start up with safe mode with networking support, it IS there!

The Hijackthis-log, gotten with quite a lot of effort seeing as I don't have internet on that pc now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:23 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Gmailnotifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [d898e309] rundll32.exe "D:\WINDOWS\system32\epllbcan.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - D:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 4291 bytes

Please excuse me for not running all the programs from the "Preparation guide for use before posting" but I doubt very much that it would have made any sense, seeing as I know Virtumonde to be extremely tough, and it being a hell of a lot of hassle to get any program on that PC at all, seeing as it has no internet.

So, thanks for any time or help!
Regards,
Apoc
Don't worry my fat friend, I will be cleaning in the bathroom...

BC AdBot (Login to Remove)

 


#2 Apocalypse_666

Apocalypse_666
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Amsterdam, The Netherlands
  • Local time:11:08 AM

Posted 15 September 2008 - 05:36 PM

Okay, never mind. The infection had gotten so bad that even safe mode wasn't safe any more, so my bro's decided to do a total clean install. No more help needed, but thanks anyways.
Don't worry my fat friend, I will be cleaning in the bathroom...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users