Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Main Accounting Computer infected with Virtumonde/Spyware


  • This topic is locked This topic is locked
2 replies to this topic

#1 APPI1

APPI1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 20 January 2009 - 01:35 PM

Topic: Main Accounting Computer infected with Virtumonde/Spyware
Topic Description: Not able to remove or clean up

Our main Accounting computer appears to be infected by the Virtumonde virus and has some type of Spyware. Virtumonde was detected by some of the other detection/removal programs but seems like it keeps popping up. The Spyware also showed up but also because I noticed when I had gone on the internet using the infected PC, it was automatically redirecting the website to other advertising websites. I was able to write down two of them (firstadsnetwork.com & web1.internetrewardcenter.com).

I downloaded and installed Microsoft Live OneCare but this failed to catch anything and seems to be a waste of money. I also loaded Spybot and it caught 11 Trojans and numerous spyware. I cleaned them up using Spybot but some continue to exist. Today I also tried Windows Defender but this also seems to not work.

Iíve turned off the System Restore before doing all of these in case it was hiding in one of the restore files but still made no difference.

After several days of fighting with this thing and after seeing the name bleepingcomputer.com referred to over and over again, it was apparent that this has become the best source for assistance. This computer is running Windows XP Pro SP3.

We are operating on a Local Area Network and several of the other PCís on this network access this computer as it stores most of the data for our accounting system.

I have uninstalled the Microsoft Live OneCare and Spybot and have run the HighjackThis program and have pasted the DDS.txt below and have attached the attach.txt file as instructed. Please assist us on how to properly remove the unwanted virus and spyware programs.

**Also Ė can you please recommend a Virus Protection software for the computers on our network. We have 12 PCís and a server and have several MACís. I have used McAfee and Norton before but both seem to be RAM hogs anymore. So if you have a recommendation I would appreciate that.

DDS.txt

DDS (Ver_09-01-18.01) - NTFSx86
Run by Iris Ramil at 12:26:01.71 on Tue 01/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2657 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Iris Ramil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.appi1.com/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080125
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7C29F770-C3D2-4F49-938D-ACF1B8A88544} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Ntifis] rundll32.exe "c:\windows\Hjogupu.dll",e
mRun: [Clobasaz] rundll32.exe "c:\windows\ewikiyit.dll",e
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 5.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: urqPiHaX - urqPiHaX.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJATKdE

============= SERVICES / DRIVERS ===============

R4 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1.0\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1.0\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-1-7 2521880]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]

=============== Created Last 30 ================

2009-01-20 08:32 2,702 -------- c:\windows\system32\tmp.reg
2009-01-19 20:14 552 -------- c:\windows\system32\DO_NOT_DELETE.backupSetID
2009-01-19 18:30 116,224 -------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-19 18:30 23,040 -------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-19 18:28 19,528 -------- c:\windows\system32\dllcache\w840nd.sys
2009-01-19 18:27 50,176 -------- c:\windows\system32\dllcache\umaxp60.dll
2009-01-19 18:26 7,040 -------- c:\windows\system32\dllcache\tandqic.sys
2009-01-19 18:25 7,040 -------- c:\windows\system32\dllcache\snyaitmc.sys
2009-01-19 18:24 18,400 -------- c:\windows\system32\dllcache\sgsmld.sys
2009-01-19 18:23 79,872 -------- c:\windows\system32\dllcache\rwia430.dll
2009-01-19 18:22 19,840 -------- c:\windows\system32\dllcache\philtune.sys
2009-01-19 18:21 27,209 -------- c:\windows\system32\dllcache\otc06x5.sys
2009-01-19 18:20 21,888 -------- c:\windows\system32\dllcache\mxcard.sys
2009-01-19 18:19 606,684 -------- c:\windows\system32\dllcache\ltmdmnt.sys
2009-01-19 18:18 372,824 -------- c:\windows\system32\dllcache\iconf32.dll
2009-01-19 18:17 32,768 -------- c:\windows\system32\dllcache\hpgtmcro.dll
2009-01-19 18:16 7,040 -------- c:\windows\system32\dllcache\exabyte2.sys
2009-01-19 18:15 29,768 -------- c:\windows\system32\dllcache\divasu.dll
2009-01-19 18:14 32,256 -------- c:\windows\system32\dllcache\diapi2NT.dll
2009-01-16 07:33 133,120 -------- c:\windows\ewikiyit.dll
2009-01-16 07:21 41,984 -------- c:\windows\system32\chert5-998.exe
2009-01-16 07:21 41,984 -------- c:\windows\Hjogupu.dll
2009-01-12 20:41 <DIR> --d----- c:\docume~1\irisra~1\applic~1\Windows Search
2009-01-12 19:03 <DIR> --d----- c:\docume~1\irisra~1\applic~1\Safer Networking
2009-01-12 19:02 <DIR> --d----- c:\program files\Safer Networking
2009-01-12 16:05 1 -------- c:\windows\system32\test.ttt
2009-01-12 15:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-12 15:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-08 12:47 616 -------- c:\windows\RegGenie.ini
2009-01-08 12:47 25,992 -------- c:\windows\system32\pgdfgsvc.exe
2009-01-08 12:41 <DIR> --d----- c:\program files\RegGenie
2009-01-08 12:41 158,720 -------- c:\windows\RegGenieOnUninstall.exe
2009-01-07 13:40 5 -------- c:\windows\system32\drivers\DELL_OPT_755.MRK
2009-01-07 13:14 <DIR> --d----- c:\program files\common files\postureAgent
2009-01-07 13:14 920,344 -------- c:\windows\system32\mesoludlg.exe
2009-01-07 13:13 920,344 -------- c:\windows\system32\heciudlg.exe
2009-01-07 12:53 <DIR> --d----- C:\Intel
2009-01-07 12:51 <DIR> --d----- c:\program files\Dell
2009-01-07 12:49 49,152 -------- c:\windows\system32\DSndUp.exe
2009-01-07 12:49 45,056 -------- c:\windows\system32\CleanUp.exe
2009-01-06 20:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-01-06 16:52 268,648 -------- c:\windows\system32\mucltui.dll
2009-01-06 16:52 27,496 -------- c:\windows\system32\mucltui.dll.mui
2009-01-06 14:23 <DIR> --d----- c:\docume~1\irisra~1\applic~1\Windows Desktop Search
2009-01-06 14:23 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-01-06 14:23 <DIR> --d----- c:\program files\Windows Desktop Search
2009-01-06 12:39 <DIR> --d----- c:\windows\system32\scripting
2009-01-06 12:39 <DIR> --d----- c:\windows\system32\en
2009-01-06 12:39 <DIR> --d----- c:\windows\l2schemas
2009-01-06 12:38 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-06 12:37 <DIR> --d----- c:\windows\network diagnostic
2009-01-05 21:56 3,380 -------- c:\windows\system32\OEMINFO.PNF
2009-01-05 19:46 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 19:46 0 -------- c:\windows\system32\mcrh.tmp
2009-01-05 18:54 211 -------- C:\boot.ini.save
2009-01-05 18:14 323,561 a------- C:\OneCareSupportData.zip
2009-01-05 17:59 <DIR> --d----- c:\windows\system32\bits
2009-01-05 17:59 7,168 -------- c:\windows\system32\dllcache\bitsprx4.dll
2009-01-05 17:59 7,168 -------- c:\windows\system32\bitsprx4.dll
2009-01-05 15:29 446,464 -----r-- c:\windows\system32\hhactivex.dll
2009-01-05 15:29 328,480 -------- c:\windows\system32\ssa3d30.ocx
2009-01-05 15:29 176,128 -------- c:\windows\system32\RcdScan.dll
2009-01-05 15:29 171,967 -------- c:\windows\system32\Odbcjet.hlp
2009-01-05 15:29 89,360 -------- c:\windows\system32\VB5DB.DLL
2009-01-05 15:29 7,348 -------- c:\windows\system32\Odbcjet.cnt
2009-01-05 15:29 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-01-05 13:43 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-01-09 15:41 26,176 -------- c:\docume~1\irisra~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-07 13:40 5 -------- c:\windows\system32\drivers\1028_Dell_OPT_755.mrk
2009-01-06 12:41 87,699 -------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\wmvcore.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2002-06-26 22:57 415,984,582 -------- c:\program files\Office XP Pro.zip

============= FINISH: 12:26:15.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 APPI1

APPI1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 27 January 2009 - 09:44 AM

Good Morning BleepingComputer.Com Tech Support,
I realize your swamped and apparently this service has outgrown the capabilities of the volunteers. After a week, we can not wait any longer. I will be re-installing the Operating System and hope to write over the problem.

I would be willing pay for this type of service - does anyone have a recommendation on a service like this?

To the Volunteers - thank you for donating your time and trying to help so many people. You are amazing people and deserve to be honored.

Thanks again,
APPI1

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 29 January 2009 - 06:02 PM

Hello APPI1.

Yes, unfortunately, there are just too many topics for us to handle. The line stetches back more than a couple weeks at the moment.

I am not aware of such a free service.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users