Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with Virtumonde (I think)


  • Please log in to reply
9 replies to this topic

#1 burningdarkness

burningdarkness

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 01 April 2009 - 08:14 PM

Hello, all.

My friend brought his computer to me a couple days ago. He told me that he thinks he has a virus. After trying to fix it for the last two nights, I have decided that the problem is beyond my area of expertise. While searching for information on the web, I stumbled here and thought it would be a good idea to request assistance. I will try to detail as much as I know about the computer and what I did in this post.

- Computer is sluggish (XP Pro SP3)
- Before I uninstalled it, an older version of Java (5 something) was on his computer
- Pop up ads occasionally appear while browsing the web in Firefox 2.0.0.20
- I have turned off system restore
- I have tried clearing out all the cache files and temporary files
- I ran Spybot and it told me that Virtumonde was on the system, but it could not remove the files
- I tried running VundoFix, which did not find anything
- I uninstalled an outdated version of McAfee and installed Avast!, which detects a rootkit every now and then
- I disabled the following startup processes and deleted the corresponding files from C:\windows\system32 : mirajehi.dll (rundll32.exe "c:\windows\system32\mirajehi.dll", b ) ; jogihuju (rundll32.exe "c:\windows\system32\jogihuju.dll",a) ; vowunaka (rundll32.exe "c:\windows\system32\vowunaka.dll",s)
- Last night, I made Avast! run a scan before booting into the Windows environment. It put two files in quarantine: 140[1].htm from C:\Documents and Settings\Administrator.BOSTON-Y82R7LRE\Local Settings\Temporary Internet Files\Content.IE5\QXINFE9Q, which Avast! identifies as JS:FakeAV-J [Trj] and yogobeyi.dll from C:\windows\system32, which is identified as Win32:Rootkit-gen [Rtk]
- Upon starting it up tonight, I noticed that there are two new suspicious startup processes similar to the aforementioned examples: zuzogomi.dll and sayiwido.dll. Additionally, it seems as if it has killed the real time scanning afforded by Avast!

This is about all I can remember right now. If there's anything I overlooked, please let me know. I appreciate whatever help I can get with regards to this problem.

Thank you in advance.

Edited by burningdarkness, 01 April 2009 - 08:18 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,039 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 01 April 2009 - 08:21 PM

Hello and welcome,We should get a scan log from MBAM. Vundo Fix is an old tool and this is the best for this.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.35) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


If your Java is outdated follow these instructions..
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 burningdarkness

burningdarkness
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 01 April 2009 - 08:58 PM

boopme,

Thank you very much for your prompt reply. I have run a scan with MBAM. The log file is as follows:

Malwarebytes' Anti-Malware 1.35
Database version: 1931
Windows 5.1.2600 Service Pack 3

4/1/2009 9:47:51 PM
mbam-log-2009-04-01 (21-47-51).txt

Scan type: Quick Scan
Objects scanned: 65598
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\zuzogomi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sayiwido.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31743626-f41a-4a3c-9233-62f3b5d6e732} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31743626-f41a-4a3c-9233-62f3b5d6e732} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c2c1518 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6f1f2684 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zuzogomi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zuzogomi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sayiwido.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\odiwiyas.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zuzogomi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dazetaha.exe (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dizupiva.exe (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kukeyuwi.exe (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jowuhese.exe (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\zadoweni.exe (Trojan.Vundo) -> Delete on reboot.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Java is being reinstalled now. I forgot to mention in the original post that I could not pull up Symantec.com or java.com in the browser before running MBAM. After running MBAM, I was able to navigate to those pages.

#4 burningdarkness

burningdarkness
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 01 April 2009 - 09:34 PM

Ran a scan with Avast! after using MBAM. A notification just popped up saying that malware was found.

Win32:Rootkit-gen [Rtk] was found in c:\windows\system32\trz10.tmp

I clicked the option to move it to the quarantine folder, which I was told happened successfully.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,039 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 01 April 2009 - 09:39 PM

Good News!! These are stubborn malware so when you've completed the Java repair do these next.
Run ATF nad SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Then Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 burningdarkness

burningdarkness
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 01 April 2009 - 11:53 PM

Just finished with the scans. That SUPERAntiSpyware scan took a long time.

Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/02/2009 at 00:32 AM

Application Version : 4.26.1000

Core Rules Database Version : 3824
Trace Rules Database Version: 1780

Scan type : Complete Scan
Total Scan Time : 01:32:18

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 5494
Registry threats detected : 2
File items scanned : 57058
File threats detected : 5

Rogue.Component/Trace
HKU\S-1-5-21-1678773363-70213241-815513499-500\Software\Microsoft\FIAS4051
HKU\S-1-5-21-1678773363-70213241-815513499-500\Software\Microsoft\FIAS4057

Adware.Tracking Cookie
.atwola.com [ C:\Documents and Settings\Administrator.BOSTON-Y82R7LRE\Application Data\Mozilla\Profiles\default\qigi63o6.slt\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Default User\Application Data\Mozilla\Profiles\default\qigi63o6.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Default User\Application Data\Mozilla\Profiles\default\qigi63o6.slt\cookies.txt ]
.doubleclick.net [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\qigi63o6.slt\cookies.txt ]
.atwola.com [ C:\WINDOWS\system32\config\systemprofile\Application Data\Mozilla\Profiles\default\qigi63o6.slt\cookies.txt ]


-----------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.35
Database version: 1931
Windows 5.1.2600 Service Pack 3

4/2/2009 12:45:29 AM
mbam-log-2009-04-02 (00-45-29).txt

Scan type: Quick Scan
Objects scanned: 65832
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


MBAM was run in the normal environment (not in safe mode). The computer seems pretty responsive. Haven't seen any popups for a while.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,039 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 02 April 2009 - 10:24 AM

Hello,this looks good if there are no more symptoms by the end of the day then...

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 burningdarkness

burningdarkness
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 02 April 2009 - 11:51 PM

I will ask my friend tomorrow if his computer seemed symptom free and will re-enable the system restore (as I had already disabled it and deleted the previous restore points).

Thank you very much for your assistance, boopme. It is greatly appreciated.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,039 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 03 April 2009 - 03:13 PM

You're welcome!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 burningdarkness

burningdarkness
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:10:28 AM

Posted 05 April 2009 - 05:37 PM

My friend reports that his computer is running fast and shows no signs of infection.

Thanks again, boopme!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users