Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumonde Infection

  • This topic is locked This topic is locked
1 reply to this topic

#1 Apocalypse_666


  • Members
  • 72 posts
  • Gender:Male
  • Location:Amsterdam, The Netherlands
  • Local time:04:15 PM

Posted 11 September 2008 - 01:16 PM

Okay, I'm having some major problems. My brother's pc was infected with Virtumonde (I believe) not too long ago. I used a system restore point, and everything was gone, but I forgot to delete the older/newer restore points, so I guess this infection was still slumbering somewhere inside the system.
The syptoms are quite severe: when starting up normally, almost three quarters of the usual icons have vanished, and two or three new icons apperantly belonging to some virus/malware removal tools have popped up. They're not icons but url's however, which I haven't clicked on off course. I'm afraid I'm not sure exactly what they were called seeing as I deleted them asap.
Next to that, it is (almost) impossible to open either the explorer or the task manager, as it gives a prompt saying something like: "the administrator has locked the task manager/explorer". Furthermore, in the right bottom corner it says in capitals VIRUS WARNING, and every once in a while a pop-up comes up saying I'm infected blablaba.

So, here's what I tried myself:
First of all, my brother ran both Ad-Aware, AVG and Spybot S&D. They found something, but I wasn't there, so my brother clicked Fix, which it obviously didn't do very adequately. Then I got home and tried some things. I booted up into safe mode and ran HJT. I know a little about reading these logs, so I researched all the entries and deleted the files that were obviously malware-related and fixed their entries. However, on restarting the infection was still there. I rebooted into safe-mode, ran hijackthis again, and saw that the entries were still there, but now with the message (file missing) behind it.
Then, I ran both Add-Aware and AVG in safe mode (seeing as I can't do anything in normal mode). Add-Aware found Virtumonde, which is why I believe this is the infection we're dealing with. Off course, it was unable to remove it properly.
Then I followed the virtumonde tutorial on this site, running both Vundofix and Virtumondebegone. You can guess for yourself, it's still there.
So, I'm kind of at a dead end now, and I was hoping one of you guys could save my butt!

Oh, one last hint. When I start up in normal safe mode there is no sign of the infection, but when I start up with safe mode with networking support, it IS there!

The Hijackthis-log, gotten with quite a lot of effort seeing as I don't have internet on that pc now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:23 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\HijackThis!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Gmailnotifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [d898e309] rundll32.exe "D:\WINDOWS\system32\epllbcan.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - D:\WINDOWS\system32\Pen_Tablet.exe

End of file - 4291 bytes

Please excuse me for not running all the programs from the "Preparation guide for use before posting" but I doubt very much that it would have made any sense, seeing as I know Virtumonde to be extremely tough, and it being a hell of a lot of hassle to get any program on that PC at all, seeing as it has no internet.

So, thanks for any time or help!
Don't worry my fat friend, I will be cleaning in the bathroom...

BC AdBot (Login to Remove)


#2 Apocalypse_666

  • Topic Starter

  • Members
  • 72 posts
  • Gender:Male
  • Location:Amsterdam, The Netherlands
  • Local time:04:15 PM

Posted 15 September 2008 - 05:36 PM

Okay, never mind. The infection had gotten so bad that even safe mode wasn't safe any more, so my bro's decided to do a total clean install. No more help needed, but thanks anyways.
Don't worry my fat friend, I will be cleaning in the bathroom...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users