Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 graser

graser

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 24 December 2008 - 12:18 AM

I have a windows XP home computer that is infected with the virtumonde.generic trojan as per Spybot. I have been able to reduce the problem to two registry entries:

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

and

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}


However these cannot be erased. I have also tried to manually remove them in REGEDIT but they link to a folder iexplorer which cannot be deleted.

The system comes up clean using "Malwarebytes' Anti-Malware.

Below is the dds file output. Any help you can provide is greatly appreciated.


DDS (Version 1.1.0) - NTFSx86
Run by Klaus & Laura at 23:03:18.78 on Tue 12/23/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1429 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Klaus & Laura\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://82.98.235.133/go//?cmp=vm_finance_cj_onlinecash911_h&nid=&uid=6D38BCECC3A411DDAFD5171409CFFFFF&guid=98555E3088EC496CADC14D7B98782208&affid=171409&lid=winlogon.exe&rid=zdez&v=1176&m=an2g
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\klaus&~1\applic~1\mozilla\firefox\profiles\rf2b46v8.default\

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 NAVAPEL;NAVAPEL;\??\c:\program files\navnt\NAVAPEL.SYS [2001-10-29 9296]
R2 Norton AntiVirus Server;Norton AntiVirus Client;"c:\program files\navnt\rtvscan.exe" [2001-10-29 466944]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2008-5-20 18864]

=============== Created Last 30 ================

2008-12-23 18:33 <DIR> --d----- c:\program files\Lavasoft
2008-12-23 18:32 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-23 17:05 <DIR> --d----- C:\ComboFix
2008-12-23 16:36 <DIR> a-dshr-- C:\cmdcons
2008-12-22 22:07 <DIR> --d----- c:\docume~1\klaus&~1\applic~1\Malwarebytes
2008-12-22 22:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 22:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 22:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 22:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-22 19:30 <DIR> --d----- c:\documents and settings\Klaus & Laura
2008-12-09 12:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\viketime
2008-12-09 12:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ropepike
2008-12-09 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gamosiwo
2008-12-09 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\bapofofe
2008-12-06 15:07 483 a------- c:\windows\wininit.ini
2008-12-06 13:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-06 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-20 18:40 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2004-08-04 04:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 18:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-09-22 22:01 63,687 a--sh--- c:\windows\system32\lujorosu.dll
2008-04-13 18:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 18:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 18:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 18:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 18:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 18:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 18:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-09-22 22:01 63,687 a--sh--- c:\windows\system32\zomuhiwu.dll

============= FINISH: 23:03:32.50 ===============

Edited by Orange Blossom, 24 December 2008 - 12:30 AM.
Moved from XP forum. ~ OB


BC AdBot (Login to Remove)

 


#2 graser

graser
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 December 2008 - 02:57 PM

I seem to have solved the problem so please do not spend anymore time on this one. It turns out I only had to change the permissions associated with the remaining Registry entries before I could delete them. Thanks for running a forum that helps with these things.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 28 December 2008 - 12:18 AM

Hello graser,

Thank you for letting us know. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users