Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Spybot finds Virtumonde

  • This topic is locked This topic is locked
4 replies to this topic

#1 grendelfox


  • Members
  • 1 posts
  • Local time:04:49 PM

Posted 01 April 2009 - 12:16 AM

Spybot nearly always finds multiple Virtumonde instances and is usually able to delete them. However if I run it again immediately, it finds Virtumonde again, if not always the same instances or number of instances.

I tried other tools such as VundoFix7, FixVundo, Kaspersky's downloadable tool and SDFix. Most were unable to recognize an infection at all.
I did see that older versions of Spybot can have false positives of Virtumonde, but I have the most up to date version.

For a while I seemed able to keep up with it by running Spybot regularly and denying changes to the registry. Recently however, I have seen a steady increase in popup windows and decreasing performance - though after running SDFix, things seem a bit better.

Here is the DDS file

DDS (Ver_09-03-16.01) - NTFSx86
Run by Admin at 16:34:25.06 on Tue 03/31/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.110 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {301f5c89-ccd1-4610-a39d-54c57ac2e224} - c:\windows\system32\vawibego.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [bebowavuwu] Rundll32.exe "c:\windows\system32\vuladihi.dll",s
mRun: [48e4111d] rundll32.exe "c:\windows\system32\sivotumo.dll",b
mRunOnce: [SpybotDeletingC7665] cmd /c del "c:\windows\system32\dahihiwi.dll_old"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\is-vvsdq.lnk - c:\documents and settings\admin\desktop\virus removal tool1\is-vvsdq\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236360935218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236360897437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\zoponeji.dll c:\windows\system32\bubopoyu.dll c:\windows\system32\dahihiwi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\dahihiwi.dll
LSA: Notification Packages = scecli c:\windows\system32\zoponeji.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\jsx7vpaw.default\
FF - prefs.js: browser.startup.homepage - www.msnbc.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\nokia\ovi maps\mozilla firefox plugin\xpi\plugins\npNMapG.dll

============= SERVICES / DRIVERS ===============

R1 is-6765Kdrv;is-6765Kdrv;c:\windows\system32\drivers\65713470.sys [2009-3-27 148496]
R1 is-950BVdrv;is-950BVdrv;c:\windows\system32\drivers\14238578.sys [2009-3-27 148496]
R1 is-VC98Edrv;is-VC98Edrv;c:\windows\system32\drivers\46158060.sys [2009-3-23 148496]
R1 is-VVSDQdrv;is-VVSDQdrv;c:\windows\system32\drivers\41733789.sys [2009-3-23 148496]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-27 201320]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-27 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-27 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-27 144704]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-26 36352]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-27 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-27 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-27 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-27 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-27 33832]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-1-11 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-1-11 8320]

=============== Created Last 30 ================

2009-03-31 11:07 <DIR> --d----- c:\windows\ERUNT
2009-03-29 16:14 <DIR> --d----- C:\SDFix
2009-03-27 08:39 148,496 a------- c:\windows\system32\drivers\14238578.sys
2009-03-27 08:05 148,496 a------- c:\windows\system32\drivers\65713470.sys
2009-03-25 08:56 2,713 ---sh--- c:\windows\system32\vumefesa.dll
2009-03-25 08:56 2,713 ---sh--- c:\windows\system32\luravufa.dll
2009-03-24 08:56 27,745 a--sh--- c:\windows\system32\nuvanifi.dll
2009-03-24 08:56 0 ---sh--- c:\windows\system32\fusigagi.dll
2009-03-23 09:38 148,496 a------- c:\windows\system32\drivers\41733789.sys
2009-03-23 09:25 86,536,224 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-23 09:25 940,808 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-23 09:24 148,496 a------- c:\windows\system32\drivers\46158060.sys
2009-03-22 21:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 21:17 <DIR> --d----- c:\documents and settings\admin\Temp
2009-03-19 09:24 <DIR> --d----- C:\VundoFix Backups
2009-03-18 07:04 608 a------- c:\windows\wininit.ini
2009-03-17 21:52 3 a------- c:\windows\sbacknt.bin
2009-03-17 21:49 152,904 a------- c:\windows\system32\vghd.scr
2009-03-17 21:49 <DIR> --d----- c:\program files\vghd
2009-03-17 21:49 <DIR> --d----- c:\docume~1\admin\applic~1\vghd
2009-03-17 21:32 <DIR> --d----- c:\program files\eToro
2009-03-13 21:59 <DIR> --d-h--- c:\windows\PIF
2009-03-07 09:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-06 10:56 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-06 10:50 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-06 10:47 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-03-06 10:46 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-06 10:38 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-06 10:36 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-03-06 10:36 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-03-06 10:36 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-03-06 10:36 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-06 10:36 <DIR> --d----- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2009-03-31 13:55 79,872 a--sh--- c:\windows\system32\sivotumo.dll
2009-03-30 20:58 84,992 a--sh--- c:\windows\system32\veketaha.dll
2009-03-30 20:58 79,872 a--sh--- c:\windows\system32\gezibaju.dll
2009-03-29 08:57 84,992 a--sh--- c:\windows\system32\rijikoyi.dll
2009-03-27 20:57 84,992 a--sh--- c:\windows\system32\zasezara.dll
2009-03-27 20:57 79,872 a--sh--- c:\windows\system32\lijuhidi.dll
2009-03-27 08:57 79,872 a--sh--- c:\windows\system32\gawafuda.dll
2009-03-27 08:56 84,992 a--sh--- c:\windows\system32\zuhotuzo.dll
2009-03-26 20:56 84,992 a--sh--- c:\windows\system32\pokodima.dll
2009-03-25 20:55 79,872 -------- c:\windows\system32\dadirova.dll
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-11 13:01 14,336 a------- c:\windows\system32\svchost.exe
2009-01-05 15:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\vawibego.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\zoponeji.dll

============= FINISH: 16:37:58.14 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:49 AM

Posted 08 April 2009 - 04:19 PM

Hi grendelfox,

Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Since
it has been a while since you posted your hijackthis log I would like to see a new log.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:49 AM

Posted 11 April 2009 - 12:34 PM


Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case emule). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.


Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

<filepath>c:\documents and settings\admin\desktop\virus removal tool1\is-vvsdq\startup.exe

Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Please post back here with:
  • Jotti results
  • Malwarebytes log
  • Both Rsit logs


#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:49 AM

Posted 13 April 2009 - 10:15 AM

Hi grendelfox, can you let me no if you still require my help.



#5 Shaba



  • Members
  • 7,872 posts
  • Gender:Male
  • Location:Finland
  • Local time:01:49 AM

Posted 18 April 2009 - 12:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users