Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumonde (and maybe more..)

  • This topic is locked This topic is locked
2 replies to this topic

#1 cbrnet


  • Members
  • 2 posts
  • Local time:05:51 PM

Posted 11 December 2008 - 03:42 AM


Was infected with Virtumonde and Trojan.Zlob.G (was also getting "resycledboot.com is not a valid win32 application" when trying to open other HDD) but maybe more from visiting a bad site. Have attempted a clean by:

System Restore Off
Flash Disinfector
Malware Bytes scan

Now in safe mode and have done a RSIT scan.. would appreciate if someone could review my logs and tell me if I've still got problems!!

Many thanks in advance.



======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 GearAspiWDM;GearAspiWDM; C:WINDOWSsystem32driversGearAspiWDM.sys [2004-07-29 14384]
R1 kbdhid;Keyboard HID Driver; C:WINDOWSSystem32DRIVERSkbdhid.sys [2004-08-03 14848]
R3 hidusb;Microsoft HID Class Driver; C:WINDOWSSystem32DRIVERShidusb.sys [2001-08-23 9600]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:WINDOWSsystem32DRIVERSLHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:WINDOWSsystem32DRIVERSLMouFilt.Sys [2008-02-29 36880]
R3 mouhid;Mouse HID Driver; C:WINDOWSSystem32DRIVERSmouhid.sys [2001-08-17 12160]
R3 NVENET;NVIDIA nForce Networking Controller Driver; C:WINDOWSsystem32DRIVERSNVENET.sys [2004-01-29 93764]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:WINDOWSSystem32DRIVERSusbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:WINDOWSSystem32DRIVERSusbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:WINDOWSSystem32DRIVERSusbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:WINDOWSSystem32DRIVERSusbohci.sys [2004-08-03 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:WINDOWSSystem32DRIVERSusbprint.sys [2004-08-03 25856]
R3 Wdf01000;Wdf01000; C:WINDOWSsystem32DRIVERSWdf01000.sys [2006-11-02 492000]
S1 AmdK7;AMD K7 Processor Driver; C:WINDOWSSystem32DRIVERSamdk7.sys [2004-08-03 37376]
S1 PQIMount;PQIMount; C:WINDOWSsystem32driversPQIMount.sys [2004-07-29 46779]
S3 Arp1394;1394 ARP Client Protocol; C:WINDOWSSystem32DRIVERSarp1394.sys [2004-08-03 60800]
S3 catchme;catchme; ??C:DOCUME~1ADMINI~1LOCALS~1Tempcatchme.sys []
S3 ltmodem5;LT Modem Driver; C:WINDOWSSystem32DRIVERSltmdmnt.sys [2004-08-03 606684]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:WINDOWSsystem32driversMODEMCSA.sys [2001-08-17 16128]
S3 NAVAP;NAVAP; ??C:Program FilesNavNTNAVAP.sys []
S3 NAVEX15;NAVEX15; ??C:PROGRA~1COMMON~1SYMANT~1VIRUSD~120080910.003NAVEX15.sys []
S3 NIC1394;1394 Net Driver; C:WINDOWSSystem32DRIVERSnic1394.sys [2004-08-03 61824]
S3 nv;nv; C:WINDOWSSystem32DRIVERSnv4_mini.sys [2008-05-03 6554496]
S3 nvax;Service for NVIDIAŽ nForce™ Audio Enumerator; C:WINDOWSsystem32driversnvax.sys [2004-05-25 48640]
S3 nvnforce;Service for NVIDIAŽ nForce™ Audio; C:WINDOWSsystem32driversnvapu.sys [2004-05-25 396032]
S3 SymEvent;SymEvent; ??C:WINDOWSsystem32DriversSYMEVENT.SYS []
S3 usbscan;USB Scanner Driver; C:WINDOWSsystem32DRIVERSusbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []
S4 sr;System Restore Filter Driver; C:WINDOWSSystem32DRIVERSsr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 DefWatch;DefWatch; C:Program FilesNavNTdefwatch.exe [2000-12-22 32768]
S2 GEARSecurity;GEARSecurity; C:WINDOWSSystem32GEARSec.exe [2004-07-29 53248]
S2 Matrox Centering Service;Matrox Centering Service; C:Program FilesMatrox Graphics IncPowerDeskServicesMatrox.PowerDesk.Services.exe [2008-03-05 500992]
S2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost; C:Program FilesMatrox Graphics IncPowerDesk SEMatrox.Pdesk.ServicesHost.exe [2008-03-13 177408]
S2 Norton AntiVirus Server;Norton AntiVirus Client; C:Program FilesNavNTrtvscan.exe [2000-12-22 430080]
S2 Norton Ghost;Norton Ghost; C:Program FilesSymantecNorton GhostAgentPQV2iSvc.exe [2004-07-29 1269760]
S2 NVSvc;NVIDIA Display Driver Service; C:WINDOWSsystem32nvsvc32.exe [2008-05-03 159812]
S3 aspnet_state;ASP.NET State Service; C:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_state.exe [2003-02-20 32768]
S3 LBTServ;Logitech Bluetooth Service; C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe [2008-05-02 121360]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]



info.txt logfile of random's system information tool 1.04 2008-12-11 06:35:30

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WINDOWSINFPCHealth.inf
Azureus Vuze-->C:Program FilesAzureusuninstall.exe
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
HijackThis 2.0.2-->"C:Program FilesTrend MicroHijackThisHijackThis.exe" /uninstall
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LiveUpdate 2.0 (Symantec Corporation)-->C:Program FilesSymantecLiveUpdateLSETUP.EXE /U
Logitech SetPoint-->C:Program FilesInstallShield Installation Information{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:Program FilesMalwarebytes' Anti-Malwareunins000.exe"
Matrox PowerDesk-SE (GXM)-->MsiExec.exe /X{E767C4B7-BB9D-4A27-8DC2-1BB81D16BFB5}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:WINDOWS$NtUninstallWdf01005$spuninstspuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (>C:Program FilesMozilla Firefoxuninstallhelper.exe
Norton AntiVirus Corporate Edition-->MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
Norton Ghost 9.0-->MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}
NVIDIA Drivers-->C:WINDOWSsystem32nvuninst.exe UninstallGUI
NvMixer-->RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{D7A6C517-11F2-419F-B5BB-27772B939698}Setup.exe" -uninstall
Windows XP Service Pack 2-->C:WINDOWS$NtServicePackUninstall$spuninstspuninst.exe

======Hosts File====== localhost

======Environment variables======

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD


Sorry, forgot to post the HJT log too... oops.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:21:49, on 11/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O4 - HKLM..Run: [Norton Ghost 9.0] C:Program FilesSymantecNorton GhostAgentGhostTray.exe
O4 - HKLM..Run: [vptray] C:Program FilesNavNTvptray.exe
O4 - HKLM..Run: [NVMixerTray] "C:Program FilesNVIDIA CorporationNvMixerNVMixerTray.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [Matrox PowerDesk SE] "C:Program FilesMatrox Graphics IncPowerDesk SEMatrox.PowerDesk SE.exe"
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..RunOnce: [Malwarebytes' Anti-Malware] C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe /install /silent
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointSetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binnpjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binnpjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O17 - HKLMSystemCCSServicesTcpip..{3ED4B5AD-7C92-4BFF-867F-199CD48D497D}: NameServer =
O17 - HKLMSystemCS1ServicesTcpip..{3ED4B5AD-7C92-4BFF-867F-199CD48D497D}: NameServer =
O23 - Service: DefWatch - Symantec Corporation - C:Program FilesNavNTdefwatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:WINDOWSSystem32GEARSec.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:Program FilesMatrox Graphics IncPowerDeskServicesMatrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc. - C:Program FilesMatrox Graphics IncPowerDesk SEMatrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:Program FilesNavNTrtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:Program FilesSymantecNorton GhostAgentPQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe

End of file - 4113 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 11 December 2008 - 10:15 PM.

BC AdBot (Login to Remove)


#2 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:51 PM

Posted 17 December 2008 - 01:28 PM

Hello cbrnet,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log ONLY, and made in normal mode, to make sure nothing has changed, and I'll be happy to look at it for you.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:51 PM

Posted 27 December 2008 - 06:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users