Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need hlp removing Virtumonde

  • Please log in to reply
1 reply to this topic

#1 czydg35


  • Members
  • 1 posts
  • Local time:03:11 AM

Posted 27 December 2008 - 06:39 PM

Hello - my avast! told me that I've got the Virtumonde @ 4 o'clock this morning. If I try to remove it, it comes back immediately. It also does things like it turns off my automatic updates - I can't turn them back on, & it actually shut myantivirus off, and other typical popup and browser issues. I've tried numerous thing to get rid of it, but it keeps on coming back. It sucks.

I've included the DDS logs below. Thanks so much in advance!

DDS (Version 1.1.0) - NTFSx86
Run by Jack at 18:24:21.64 on Sat 12/27/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1149 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 081227-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Gigabyte\Gigabyte GN-WIAG02 Wireless Mini PCI Adapter\GNConfig.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jack\Desktop\VundoFix.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Temp\Temporary Internet Files\Content.IE5\UNZBND65\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: {38f8e0b6-7489-428f-b672-58f61a41092f} - c:\windows\system32\xxyAQiHx.dll
BHO: {8e8eb885-7c37-246b-68c4-419fc423ed93}: {39de324c-f914-4c86-b642-73c7588be8e8} - c:\windows\system32\uikxul.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {68BD7151-6F27-4BC4-9EA9-B9EFAFAC24A6} - No File
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\yayxxuSM.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {894C08DF-FBB9-490A-86F0-FF11E3D1D1B9} - No File
BHO: {ECC2ED1A-D7B4-401C-9419-AEF3FFD4FC78} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [GNConfig] "c:\program files\gigabyte\gigabyte gn-wiag02 wireless mini pci adapter\GNConfig.exe" -nogui
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CHotkey] mHotkey.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\transa~1.lnk - c:\program files\ams services\transactnow\OALaunch.exe
mPolicies-system: LogonType = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com
Trusted Zone: huntington.com
Trusted Zone: progressive.com
Trusted Zone: AMSSetWrite.com
Trusted Zone: silverplume.com
Notify: yayxxuSM - yayxxuSM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\yayxxuSM.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyAQiHx

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-16 111184]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-6-15 3968]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-16 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-8-16 155160]
R2 Maxtor Sync Service;Maxtor Service;"c:\program files\maxtor\sync\SyncServices.exe" [2008-7-21 193888]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-8-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-8-16 352920]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-27 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\SiriusUSB.sys []

=============== Created Last 30 ================

2008-12-27 18:01 <DIR> --d----- c:\docume~1\jack\applic~1\Malwarebytes
2008-12-27 18:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 18:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 18:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 17:51 <DIR> -cd----- C:\VundoFix Backups
2008-12-27 13:13 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-27 13:13 <DIR> --d----- c:\program files\Norton Security Scan
2008-12-27 10:34 913,339 a--sh--- c:\windows\system32\xHiQAyxx.ini2
2008-12-27 07:45 896,279 a--sh--- c:\windows\system32\xHiQAyxx (1).old
2008-12-27 05:26 143 a------- c:\windows\system32\mcrh.tmp
2008-12-27 04:30 32,768 a--sh--- c:\windows\Thumbs.db
2008-12-27 04:26 913,798 a--sh--- c:\windows\system32\xHiQAyxx.ini
2008-12-27 04:26 896,279 a--sh--- c:\windows\system32\xHiQAyxx.old
2008-12-27 04:26 303,104 a------- c:\windows\system32\xxyAQiHx.dll
2008-12-27 00:14 <DIR> --d----- c:\program files\MagicISO
2008-12-26 22:15 <DIR> --d----- c:\program files\ConvertLIT GUI
2008-12-26 17:31 1,766,400 ac------ C:\dd-wrt.v24_RC7-9063_micro_wrh54g.bin
2008-12-26 15:00 <DIR> --d----- c:\program files\DNA
2008-12-26 15:00 <DIR> --d----- c:\docume~1\jack\applic~1\DNA
2008-12-26 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2008-12-26 14:27 <DIR> --d----- c:\docume~1\jack\applic~1\Azureus

==================== Find3M ====================

2008-12-27 17:43 34,468 a------- c:\windows\system32\nvModes.dat
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 16:49 249,856 -------- c:\windows\Setup1.exe
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-07-24 15:01 1,313 a------- c:\documents and settings\jack\reset.cmd
2008-05-15 21:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat

============= FINISH: 18:25:34.00 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware

  • Malware Response Team
  • 1,088 posts
  • Gender:Male
  • Location:USA
  • Local time:03:11 AM

Posted 07 January 2009 - 03:40 PM

Hello Jack and welcome to BleepingComputer forum.

As I'm sure you noticed, the HJT board here is superbusy. If the issues are still around, then do the following.
I'll be your helper while we attempt to remove the malware infection.

If you have been helped elsewhere, or have fixed this problem yourself, please also let us know by reply.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a lurker, do NOT try this on your system!

These steps are for member czydg35 only.
If you are not czydg35 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

You must disable Tea Timer while we try to remove malware; otherwise it will block changes that we need to do later.
Open Spybot Search & Destroy.
In the Mode menu, click Advanced mode if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident TeaTimer box.
Click File > Exit to close.

While we try to clean your pc of malware, you must de-install BitTorrent and any other P-2-P filesharing apps

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

Next: Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKCU\..\Run: [33885418997425892405433635649403] C:\Program Files\Antivirus 2009\av2009.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from :
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Delete the prior copy of Combofix that you have. We always need to get the latest version.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

After it is saved:
Double Click on Combo-Fix.exe {the red lion icon) to start it & follow the prompts.
If prompted to get the Recovery Console, do reply Yes. We'd like to have that in place.
Be patient and follow any other prompts.

Unless it prompts you for input, do NOT touch keyboard or computer.
Have plenty of patience. The process may take 30 to 40 minutes; but it does display progress.
When finished, it will produce a report for you, at C:\Combofix.txt.


We will now attempt to remove some rogues and also see if some other commonly occuring malware is there.
I do not expect that all of the items will be found. Also, keep in mind this is not a cure-all. It's a first phase pass.
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\windows\system32\xHiQAyxx (1).old
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


If and only if MBAM is already installed (as the case is here), then just start MBAM. Press the UPDATE tab. Click on Check for Updates button. Have patience because there has been a new version which will need to download and install.

When the Update is all done, click the Scan button and then do a FULL scan. Then follow the basic other steps (following download steps just below):

Nex, please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform FULL Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Next, using Internet Explorer browser only, go to ESET Online Scanner website:
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

You did not save DDS program to your system, and now it would be gone.

Download the latest version of HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.
Start HijackThis. Do a Scan. Saving the report.

I'll need the C:\Combofix.txt,
OTMOveIt3 log,
MBAM report
and the ESET log,
and the new HijackThis.
and tell me, How is the system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 07 January 2009 - 03:55 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users