Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


VirtuMonde Infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 emyrn


  • Members
  • 13 posts
  • Local time:10:36 AM

Posted 27 December 2008 - 04:26 AM

Long story short, I have a Virtumonde infection that has been detected by Spy-Bot, AdAware and McAfee. McAfee has been all but useless and the other two have detected and removed it only for Virtumonde to immediately reappear. (Probably irrelevant but my thoughts...I think it was time delayed activation in being hit with it. McAfee quarantined the adaware file back on 12/7/08 but it must have made its way into my computer as it suddenly activated around Midnight -Christmas Evening/Day after Christmas.) Anyway I need help.

Two other notes: Windows Security Alerts has been disabled and is unable to be reenabled. Mozilla Firefox no longer adds a tab when I open link from a program but instead opens a new Firefox window. Both side affects I assume from Virtumonde.

Edit: Forgot to attach the Attach.txt file. Sorry

I did a DDS scan and here is the log:

DDS (Version 1.1.0) - NTFSx86
Run by emryn at 22:53:30.18 on Sat 12/27/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2634 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Security\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {e10559b0-2fd6-4368-dd34-640132469653}: {35696423-1046-43dd-8634-6df20b95501e} - c:\windows\system32\cbljal.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBTKbXr.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {acab097a-a675-42c2-8209-26c533d5ce27} - c:\windows\system32\ddcDvtRj.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\emryn\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\emryn\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: geBTKbXr - geBTKbXr.dll
AppInit_DLLs: cbljal.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBTKbXr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcDvtRj

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emryn\applic~1\mozilla\firefox\profiles\li69i8m6.default\
FF - plugin: c:\program files\games\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-8 201320]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\security\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-8 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\McShield.exe [2008-6-8 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-8 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-8 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-8 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-8 40488]
S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\games\turbine\turbine download manager\TurbineMessageService.exe" [2008-10-2 249856]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\games\turbine\turbine download manager\TurbineNetworkService.exe" [2008-10-2 212992]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-8 33832]

=============== Created Last 30 ================

2008-12-27 04:27 941,289 a--sh--- c:\windows\system32\jRtvDcdd.ini2
2008-12-27 04:00 <DIR> --d----- c:\program files\HiJack This
2008-12-27 03:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-27 02:15 <DIR> --d----- c:\docume~1\emryn\applic~1\McAfee
2008-12-27 00:32 1,299,082 ---sh--- c:\windows\system32\neofnfqw.ini
2008-12-27 00:26 135,680 a------- c:\windows\system32\cbljal.dll
2008-12-27 00:26 135,680 a------- c:\windows\system32\joayyejo.dll
2008-12-26 22:26 <DIR> --d----- c:\documents and settings\emryn\.housecall6.6
2008-12-26 01:49 151 a------- c:\windows\wininit.ini
2008-12-26 01:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-26 01:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-26 00:23 52,224 a------- c:\windows\system32\ddcBronn.dll
2008-12-26 00:21 135,680 a------- c:\windows\system32\uepajo.dll
2008-12-26 00:21 135,680 a------- c:\windows\system32\knpfbjly.dll
2008-12-26 00:20 941,376 a--sh--- c:\windows\system32\jRtvDcdd.ini
2008-12-26 00:20 294,400 a------- c:\windows\system32\ddcDvtRj.dll
2008-12-26 00:15 45,056 a------- c:\windows\system32\nnnlklml.dll
2008-12-26 00:15 52,224 a------- c:\windows\system32\geBTKbXr.dll
2008-12-26 00:15 63,488 a------- c:\windows\system32\prunnet.exe
2008-12-12 19:12 <DIR> --d----- c:\docume~1\emryn\applic~1\Shape games
2008-12-06 15:41 255,409 a------- c:\windows\A Tale in the Desert Uninstaller.exe
2008-11-28 21:11 <DIR> --d----- c:\windows\pss
2008-11-28 18:47 <DIR> --d----- c:\docume~1\emryn\applic~1\GameInvest

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\strmdll.dll
2008-10-02 09:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-07-22 16:38 32 a----r-- c:\documents and settings\all users\hash.dat
2008-07-04 20:03 22,328 a------- c:\docume~1\emryn\applic~1\PnkBstrK.sys
2008-06-15 23:15 0 a------- c:\program files\error.dat

============= FINISH: 22:54:29.87 ===============

Attached Files

Edited by emyrn, 27 December 2008 - 10:57 PM.

BC AdBot (Login to Remove)


#2 jedi


  • Members
  • 274 posts
  • Gender:Male
  • Location:UK
  • Local time:10:36 AM

Posted 02 January 2009 - 07:06 AM


We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


#3 jedi


  • Members
  • 274 posts
  • Gender:Male
  • Location:UK
  • Local time:10:36 AM

Posted 20 January 2012 - 06:32 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users