Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virtumonde infection?


  • This topic is locked This topic is locked
3 replies to this topic

#1 epoclaen

epoclaen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 December 2008 - 05:00 PM

Hi all,
When my system started getting incredibly sluggish I started by running Spybot S&D and AdAware 2008 which located Virtumonde and IRC.crt infections. I had caught a quick display of AntiVirusXP 2008 or 2009 from one website recently but the page didn't get a chance to fully load before I quickly closed the tab in FireFox and closed the AntiVirus XP 2008/2009 window. I figured it made its way onto the system anyway so I had AdAware fix the issues. IRC.crt keeps popping up but it claims that Virtumonde is gone. Avira AVG also flagged a file in the C:\Windows\system32\EV19 folder which I did a web search on and deleted manually.

I ran Vundo Fix and VirtumundoBegone as per http://www.bleepingcomputer.com/forums/lof...php/t18610.html without successful detection. I had found this forum by googling to the http://www.bleepingcomputer.com/forums/lof...hp/t173231.html solution page but wanted to make sure I got a personalized solution for my problem. I do have some of the files that are indicated in the posted fix I found such as %systemroot%\system32\drivers\ksecddd.sys but I won't do anything until I hear from someone about a proper fix.

I've run DDS Tool and here is the DDS.txt log:


DDS (Version 1.1.0) - NTFSx86
Run by Jeff two at 16:39:33.48 on Fri 12/26/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.509 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Everything\Everything.exe
C:\WINDOWS2\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS2\SOUNDMAN.EXE
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Documents and Settings\Jeff two\Start Menu\Programs\Startup\SGETASK.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS2\system32\Wintab32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS2\system32\PSIService.exe
C:\WINDOWS2\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff two\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [prunnet] "c:\docume~1\jefftw~1\locals~1\temp\prun.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows2\system32\NvCpl.dll,NvStartup
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows2\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSConfig] c:\windows2\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\jefftw~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\documents and settings\jeff two\start menu\programs\startup\SGETASK.EXE
StartupFolder: c:\docume~1\jefftw~1\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\jefftw~1\startm~1\programs\startup\uedit32.lnk - c:\program files\idm computer solutions\ultraedit-32\uedit32.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\program files\eltima software\flash decompiler trillix\saveflash\iebt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: Antiwpa - antiwpa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows2\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows2\system32\drivers\agpkx.sys [2006-1-18 45056]
R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-8-1 11840]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-8-1 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-8-1 151297]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-3-9 65536]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-8-1 52032]
R3 dfmirage;dfmirage;c:\windows2\system32\drivers\dfmirage.sys [2005-11-27 31896]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows2\system32\drivers\ULILAN51.SYS [2007-6-27 28672]
S3 Partizan;Partizan;c:\windows2\system32\drivers\Partizan.sys [2008-9-29 30946]
S3 W2kbhid;KBGear Tablet (USB);c:\windows2\system32\drivers\W2kbhid.sys [2006-9-7 23552]
S3 Wtcls2k;Wtcls2k;c:\windows2\system32\drivers\Wtcls2k.sys [2006-9-7 13824]

=============== Created Last 30 ================

2008-12-24 01:46 102,664 a------- c:\windows2\system32\drivers\tmcomm.sys
2008-12-24 01:25 <DIR> --d----- c:\documents and settings\jeff two\.housecall6.6
2008-12-23 23:14 <DIR> --d----- c:\windows2\system32\EV19
2008-12-23 20:11 <DIR> --d----- c:\docume~1\jefftw~1\applic~1\KRKsoft
2008-12-23 12:10 8,628 a---h--- c:\windows2\system32\cmmgr32.GID
2008-12-14 23:18 <DIR> --d----- c:\docume~1\jefftw~1\applic~1\codeblocks
2008-12-14 01:59 49,152 a------- c:\windows2\system32\ChCfg.exe
2008-12-14 01:58 315,392 a------- c:\windows2\alcupd.exe
2008-12-11 16:55 <DIR> --d----- c:\program files\TagScanner
2008-12-03 21:16 410,984 a------- c:\windows2\system32\deploytk.dll

==================== Find3M ====================

2008-12-19 12:43 2,516 a--sh--- c:\windows2\system32\KGyGaAvL.sys
2008-10-28 17:36 823,296 a------- c:\windows2\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows2\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows2\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows2\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows2\system32\DivX.dll
2008-09-29 09:14 28,672 a------- c:\windows2\system32\Partizan.exe
2004-10-17 22:36 2,146,304 a------- c:\program files\PowerInternetTV 3.bak
2008-08-06 14:33 88 ---shr-- c:\windows2\system32\B51130D402.sys
2006-05-03 04:06 163,328 a--shr-- c:\windows2\system32\flvDX.dll
2007-02-21 05:47 31,232 a--shr-- c:\windows2\system32\msfDX.dll
2008-03-16 07:30 216,064 a--shr-- c:\windows2\system32\nbDX.dll

============= FINISH: 16:48:11.78 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:46 AM

Posted 07 January 2009 - 01:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 epoclaen

epoclaen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 07 January 2009 - 10:10 AM

This issue has been resolved.

It was a simple matter of the cables for the hard drive being loose. Re-seating them corrected the problem.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:46 AM

Posted 07 January 2009 - 10:16 AM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users