Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde.atr found by Spybot


  • This topic is locked This topic is locked
3 replies to this topic

#1 koontzman

koontzman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 08 March 2009 - 07:30 PM

I ran SpyBot S&D and Virtumonde.atr came up twice. I don't know what to do about it. I recently reinstalled windows, and there may have been some internet activity by a family member before antivirus software was installed.


DDS (Ver_09-02-01.01) - FAT32x86
Run by Steve at 20:20:55.22 on Sun 03/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.10 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
d:\PROGRA~1\AVG\AVG8\avgemc.exe
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
d:\PROGRA~1\AVG\AVG8\avgnsx.exe
d:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
d:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve.COMPANY-ACC0A18\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
mRunOnce: [SpybotSnD] "d:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve~3.com\applic~1\mozilla\firefox\profiles\9tub291d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: d:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-7 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-7 107912]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-8 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-8 394952]

=============== Created Last 30 ================

2009-03-08 15:14 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-08 15:14 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-08 15:12 <DIR> --d----- c:\program files\ZoneAlarmSB
2009-03-08 14:55 <DIR> --d----- c:\docume~1\steve~3.com\applic~1\MailFrontier
2009-03-08 14:55 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-03-08 14:54 75,248 a------- c:\windows\zllsputility.exe
2009-03-08 14:54 11,264 a------- c:\windows\system32\SpOrder.dll
2009-03-08 14:48 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-03-08 14:47 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-03-08 14:47 352,918 a------- c:\windows\system32\vsconfig.xml
2009-03-08 14:46 <DIR> --d----- c:\windows\Internet Logs
2009-03-08 14:44 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-03-07 21:20 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-07 21:20 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-07 21:20 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-07 21:20 <DIR> --d----- c:\docume~1\steve~3.com\applic~1\AVGTOOLBAR
2009-03-07 21:20 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8
2009-03-07 20:19 712,704 a----r-- c:\windows\system32\Audio3D.dll
2009-03-07 20:19 712,704 a----r-- c:\windows\system32\a3d.dll
2009-03-07 20:19 712,704 a------- c:\windows\system32\dllcache\a3d.dll
2009-03-07 20:19 421,888 a----r-- c:\windows\system\cmicnfg.cpl
2009-03-07 20:19 917,504 a----r-- c:\windows\system\cmids3d.dll
2009-03-07 20:19 451,599 a----r-- c:\windows\system32\drivers\cmuda.sys
2009-03-07 20:19 53,248 a----r-- c:\windows\system32\cmuda.dll
2009-03-07 20:19 28,672 a----r-- c:\windows\system32\udaprop.dll
2009-02-25 16:32 227 a------- c:\windows\PowerReg.dat
2009-02-25 16:32 45,568 a------- c:\windows\UniFish3.exe
2009-02-21 15:13 26 a------- c:\windows\WAR2R.INI
2009-02-16 19:41 <DIR> --d--r-- c:\docume~1\steve~3.com\applic~1\Brother
2009-02-10 23:17 419 a------- c:\windows\BRWMARK.INI
2009-02-10 23:17 184 a------- c:\windows\system32\brsvc01a.bsi
2009-02-10 23:17 30 a------- c:\windows\system32\brss01a.ini
2009-02-10 23:17 27 a------- c:\windows\BRPP2KA.INI
2009-02-10 23:00 22 a------- c:\windows\system32\ati64hlp.stb
2009-02-08 19:06 <DIR> --d----- c:\windows\system32\URTTemp
2009-02-08 19:05 516,096 -------- c:\windows\system32\ati2sgag.exe
2009-02-08 19:05 294,912 a----r-- c:\windows\system32\atiiiexx.dll
2009-02-08 19:05 9,054 a----r-- c:\windows\system32\atifglpf.xml
2009-02-06 22:46 <DIR> --d----- c:\documents and settings\Steve.COMPANY-ACC0A18
2009-02-06 22:19 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-06 22:16 6,144 a------- c:\windows\system32\dllcache\snmpmib.dll
2009-02-06 22:15 53,760 a------- c:\windows\system32\dllcache\pintlcsd.dll
2009-02-06 22:14 6,144 a------- c:\windows\system32\dllcache\kbdth2.dll
2009-02-06 22:13 94,720 a------- c:\windows\system32\dllcache\imekr61.ime
2009-02-06 22:12 94,208 a------- c:\windows\system32\dllcache\fpencode.dll
2009-02-06 22:11 177,698 a------- c:\windows\system32\dllcache\c_20949.nls
2009-02-06 22:10 19,456 a------- c:\windows\system32\dllcache\agt0404.dll
2009-02-06 22:09 2,577 a------- c:\windows\system32\CONFIG.NT
2009-02-06 22:09 0 a------- c:\windows\control.ini
2009-02-06 22:09 23,392 a------- c:\windows\system32\nscompat.tlb
2009-02-06 22:09 16,832 a------- c:\windows\system32\amcompat.tlb
2009-02-06 22:09 316,640 a------- c:\windows\WMSysPr9.prx
2009-02-06 22:07 <DIR> --dsh--- c:\documents and settings\all users.windows\DRM
2009-02-06 22:07 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-02-06 22:07 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-06 22:07 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-06 22:07 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-06 22:07 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-06 22:07 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-06 22:07 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-06 22:07 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-02-06 22:06 4,399,505 a------- c:\windows\system32\dllcache\nls302en.lex
2009-02-06 22:06 28,160 a------- c:\windows\system32\dllcache\msoobe.exe
2009-02-06 22:06 99,840 a------- c:\windows\system32\dllcache\helphost.exe
2009-02-06 22:06 35,328 a------- c:\windows\system32\dllcache\notiflag.exe
2009-02-06 22:06 21,504 a------- c:\windows\system32\dllcache\brpinfo.dll
2009-02-06 22:06 11,264 a------- c:\windows\system32\dllcache\atrace.dll
2009-02-06 22:06 11,264 a------- c:\windows\system32\atrace.dll
2009-02-06 22:06 6,656 a------- c:\windows\system32\dllcache\hcappres.dll
2009-02-06 22:04 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-06 22:04 37 a------- c:\windows\vbaddin.ini
2009-02-06 22:04 36 a------- c:\windows\vb.ini
2009-02-06 22:02 147,456 a------- c:\windows\system32\dllcache\comsnap.dll
2009-02-06 21:58 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-02-06 21:56 2,305,984 a------- c:\windows\system32\ati3duag.dll
2009-02-06 21:56 870,784 a------- c:\windows\system32\ati3d1ag.dll
2009-02-06 21:56 434,176 a------- c:\windows\system32\ativvaxx.dll
2009-02-06 21:56 249,856 a------- c:\windows\system32\ati2cqag.dll
2009-02-06 21:56 221,184 a------- c:\windows\system32\ati2dvag.dll
2009-02-06 21:56 872,960 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-06 21:56 872,960 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-02-06 21:56 41,088 a------- c:\windows\system32\drivers\SISAGP.SYS
2009-02-06 21:53 <DIR> --d--r-- c:\documents and settings\all users.windows\Documents
2009-02-06 21:53 141,702 a------- c:\windows\system32\dllcache\netfx.cat
2009-02-06 21:51 607 a------- c:\windows\system32\$winnt$.inf

==================== Find3M ====================

2009-02-06 22:37 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-07 12:15 157 a------- c:\program files\INSTALL.LOG

============= FINISH: 20:23:51.05 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 20 March 2009 - 04:35 PM

Hello.

Could you show me the SpyBot S&D log where it's detecting vundo?

Also, run the following scans and tell me any problems you may still have.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and run OTListIT2

We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Post both logs in your next reply please.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 24 March 2009 - 03:10 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:17 PM

Posted 26 March 2009 - 03:35 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users