Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Windows 10 Lean: Microsoft Developing a Minimalist Version of Windows

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Virtumonde - cannot remove

Started by tmcd , Dec 08 2008 10:04 PM

Please log in to reply

13 replies to this topic

#1 tmcd

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 08 December 2008 - 10:04 PM

I have a Dell D610 Laptop with XP SP2. I started getting pop-ups so I installed spybot. Spybot was able to remove most of the trojans but was not able to remove virtumonde.

Appreciate any help you can provide.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 08 December 2008 - 10:12 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#3 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 08 December 2008 - 10:51 PM

Here is the report. Rebooting now.

Malwarebytes' Anti-Malware 1.31
Database version: 1476
Windows 5.1.2600 Service Pack 2

12/8/2008 9:50:23 PM
mbam-log-2008-12-08 (21-50-23).txt

Scan type: Quick Scan
Objects scanned: 80333
Time elapsed: 20 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\khfGyATl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\swrpsa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xeadov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\falnop.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55911448-5629-4f00-a23d-71282020abff} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{55911448-5629-4f00-a23d-71282020abff} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b6472dce-b519-4f4a-95cb-dd368116f718} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6472dce-b519-4f4a-95cb-dd368116f718} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{29ab5c8c-114e-4fef-b72d-4c74beac83d2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f15fdc5-f5ec-4ef6-9485-d4993209cfec} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{55911448-5629-4f00-a23d-71282020abff} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4bd1b89-fcc7-457b-9ef4-e8ad9875e054} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfgyatl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfgyatl -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\khfGyATl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lTAyGfhk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lTAyGfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opulvepn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\npevlupo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\udbhhwph.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hpwhhbdu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swrpsa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xeadov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\falnop.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cqepbjuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ducidp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsmujtjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmmeys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsrqgkmt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qasbymfq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swxntrpa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wndbcdhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xiyutr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xqaxwpdb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\tam6573\Local Settings\Temporary Internet Files\Content.IE5\CHF124V1\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\tam6573\Local Settings\Temporary Internet Files\Content.IE5\CHF124V1\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 08 December 2008 - 10:58 PM

Reboot your computer, run the Malwarebytes Full Scan and post the new log.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#5 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 09 December 2008 - 12:36 AM

Full Scan after reboot. Rebooting again.

Malwarebytes' Anti-Malware 1.31
Database version: 1476
Windows 5.1.2600 Service Pack 2

12/8/2008 11:34:25 PM
mbam-log-2008-12-08 (23-34-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 267223
Time elapsed: 1 hour(s), 30 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP912\A0183082.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185340.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185342.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185344.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185345.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185346.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185347.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185348.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185349.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185350.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185351.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185352.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185353.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185409.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185410.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185412.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{355F0CB9-CAC9-4448-98CA-41494131EA78}\RP922\A0185413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hov\BATU2I3X.exe (Adware.Agent) -> Quarantined and deleted successfully.

#6 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 09 December 2008 - 12:46 AM

Now please run this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#7 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 09 December 2008 - 01:18 AM

SDFix.exe is on my desktop but it does not do anything when I double click on it. No folder exists at C:\ called SDFix. I should have administrator priviledges.

#8 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 09 December 2008 - 01:29 AM

Did you try any of the fixes given at the start of the page I linked to:

Common problems/messages and how to fix them:

Error Message:

The command prompt has been disabled by your administrator.
Press any key to continue . . .

How to fix:

Click on the Start menu, then Run, and then copy and paste the following line into the Run field:

%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg

Press OK then run SDFix again

Problem:

If the Command Prompt window flashes on then off again on XP or Windows 2000

How to fix:

Click on the Start menu, then Run, and then copy and paste the following line into the Run field:

%systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe

Then click OK, then type Y and press Enter when prompted, Reboot and start SDFix again

Problem:

If SDFix still doesn't run check the %comspec% variable

How to fix:

Click on the Start button then right-click on My Computer and select properties. Then click on the Advanced tab and then click on the Environment Variables. Under System Variables, make sure that the ComSpec variable points to %SystemRoot%\system32\cmd.exe

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#9 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 09 December 2008 - 01:51 AM

It doesn't appear that the self extraction will run as it does not create the c:\SDFix folder. I tried the fixes mentioned. I also tried to start up in safe boot but I cannot get past the logon screen. I must not have full administrator privileges as I previously thought. This PC has had the ADMINISTRATOR account changed by someone else.

#10 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 09 December 2008 - 01:54 AM

You really should try to get hold of the Admin passwords for the computer. Is it your computer?

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#11 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 09 December 2008 - 02:01 AM

No it is not my computer. I will contact the IT dept. tomorrow to get the Administrator password. IT wanted to wipe the Hard Drive so I tried to get it fixed first.

#12 Budapest

Bleepin' Cynic

Moderator
23,573 posts
OFFLINE

Gender:Male
Local time:11:44 AM

Posted 09 December 2008 - 04:01 PM

I'm pretty sure the infection is gone, but I'd like to run SDFix as a double check.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#13 tmcd

Topic Starter

Members
7 posts
OFFLINE

Local time:07:44 PM

Posted 09 December 2008 - 10:54 PM

Budapest

I performed another quick scan after 24 hrs and it appears it is still clean as no inflictions were found. The PC is working better than it has in quite some time. I was unable to work with our IT dept. today to get the SDFix scan completed.

I will turn it over to them to finish it up if they want. Is it ok to refer them to this site?

Thanks a lot for your assistance.