Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Moody550

Moody550

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 June 2009 - 11:05 PM

Hello, I have Virtumonde i need help removing it. I tried multiple scanners and vundofix not working. Halp pl0x. I will attach the logs.

Thanks in Advance, Moody


DDS (Ver_09-05-14.01) - NTFSx86
Run by pat at 20:49:35.62 on Tue 06/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.538 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
C:\WINDOWS2\system32\svchost -k rpcss
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS2\system32\svchost.exe -k NetworkService
C:\WINDOWS2\system32\svchost.exe -k LocalService
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
G:\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS2\System32\WLTRYSVC.EXE
C:\WINDOWS2\System32\bcmwltry.exe
G:\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS2\System32\alg.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\pat\Desktop\dds.scr
C:\WINDOWS2\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {21c49ee9-fc2d-2e82-a88c-0c9a6c5b0c8f} - c:\windows2\oyejivul.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [MSConfig] c:\windows2\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Nfahumafuxujabow] rundll32.exe "c:\windows2\eravarowigesife.dll",e
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: 1ca963e8573 - c:\windows2\system32\d3dx10_3332.dll
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxdev.dll
Notify: __c00E990 - c:\windows2\system32\__c00E990.dat
AppInit_DLLs: c:\windows2\system32\d3dx10_3332.dll
LSA: Notification Packages = scecli dtsrfx.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {1641D6AE-50A1-47AA-AE87-7664BF99417E} - c:\documents and settings\pat\local settings\application data\{1641D6AE-50A1-47AA-AE87-7664BF99417E}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows2\system32\drivers\PCTCore.sys [2009-4-12 130424]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 TeamViewer4;TeamViewer 4;g:\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-12 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-12 1095560]

=============== Created Last 30 ================

2009-06-09 20:31 60,416 a------- c:\windows2\system32\antiwpa.dll
2009-06-09 19:48 60,416 a------- c:\windows2\system32\antiwpa.dllB9862
2009-06-09 19:32 139,264 a------- c:\windows2\system32\igfxres.dll
2009-06-09 03:33 754 a------- c:\windows2\WORDPAD.INI
2009-06-08 18:05 26,112 a------- c:\windows2\system32\__c003100.dat
2009-06-06 17:14 374,272 a--sh--- c:\windows2\system32\B.tmp
2009-06-06 17:12 374,272 a--sh--- c:\windows2\system32\A.tmp
2009-06-06 05:11 <DIR> --dsh--- c:\windows2\system32\SystemService32
2009-06-04 20:48 26,112 a------- c:\windows2\system32\__c00FCCE.dat
2009-06-03 03:01 728,064 -------- c:\windows2\system32\_000128_.tmp.dll
2009-06-03 03:01 706,048 -------- c:\windows2\system32\_000127_.tmp.dll
2009-06-03 03:01 108,544 -------- c:\windows2\system32\_000126_.tmp.dll
2009-06-02 22:00 26,112 a------- c:\windows2\system32\__c007B1A.dat
2009-06-02 03:00 728,064 -------- c:\windows2\system32\_000123_.tmp.dll
2009-06-02 03:00 706,048 -------- c:\windows2\system32\_000112_.tmp.dll
2009-06-02 03:00 108,544 -------- c:\windows2\system32\_000111_.tmp.dll
2009-06-01 23:09 374,272 a--sh--- c:\windows2\system32\2E.tmp
2009-06-01 18:19 27,648 a------- c:\windows2\system32\__c00A64A.dat
2009-06-01 03:01 728,064 -------- c:\windows2\system32\_000122_.tmp.dll
2009-06-01 03:01 706,048 -------- c:\windows2\system32\_000121_.tmp.dll
2009-06-01 03:01 108,544 -------- c:\windows2\system32\_000120_.tmp.dll
2009-06-01 01:12 120,056 -------- c:\windows2\system32\pxcpyi64.exe
2009-06-01 01:12 43,528 -------- c:\windows2\system32\drivers\PxHelp20.sys
2009-06-01 01:12 9,464 -------- c:\windows2\system32\drivers\cdralw2k.sys
2009-06-01 01:12 9,336 -------- c:\windows2\system32\drivers\cdr4_xp.sys
2009-06-01 01:12 129,784 -------- c:\windows2\system32\pxafs.dll
2009-06-01 01:12 118,520 -------- c:\windows2\system32\pxinsi64.exe
2009-06-01 01:11 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-31 13:40 728,064 -------- c:\windows2\system32\_000119_.tmp.dll
2009-05-31 13:40 706,048 -------- c:\windows2\system32\_000114_.tmp.dll
2009-05-31 13:40 108,544 -------- c:\windows2\system32\_000113_.tmp.dll
2009-05-30 18:55 27,648 a------- c:\windows2\system32\__c008AF6.dat
2009-05-30 03:00 728,064 -------- c:\windows2\system32\_000101_.tmp.dll
2009-05-30 03:00 706,048 -------- c:\windows2\system32\_000100_.tmp.dll
2009-05-30 03:00 108,544 -------- c:\windows2\system32\_000099_.tmp.dll
2009-05-29 03:00 728,064 -------- c:\windows2\system32\_000109_.tmp.dll
2009-05-29 03:00 706,048 -------- c:\windows2\system32\_000108_.tmp.dll
2009-05-29 03:00 108,544 -------- c:\windows2\system32\_000107_.tmp.dll
2009-05-28 03:01 728,064 -------- c:\windows2\system32\_000106_.tmp.dll
2009-05-28 03:01 706,048 -------- c:\windows2\system32\_000105_.tmp.dll
2009-05-28 03:01 108,544 -------- c:\windows2\system32\_000104_.tmp.dll
2009-05-28 00:13 27,648 a------- c:\windows2\system32\__c006C90.dat
2009-05-27 03:00 728,064 -------- c:\windows2\system32\_000103_.tmp.dll
2009-05-27 03:00 706,048 -------- c:\windows2\system32\_000098_.tmp.dll
2009-05-27 03:00 108,544 -------- c:\windows2\system32\_000093_.tmp.dll
2009-05-26 22:43 27,648 a------- c:\windows2\system32\__c0071C4.dat
2009-05-26 12:49 27,648 a------- c:\windows2\system32\__c00A645.dat
2009-05-26 03:00 728,064 -------- c:\windows2\system32\_000090_.tmp.dll
2009-05-26 03:00 706,048 -------- c:\windows2\system32\_000086_.tmp.dll
2009-05-26 03:00 108,544 -------- c:\windows2\system32\_000077_.tmp.dll
2009-05-25 03:01 728,064 -------- c:\windows2\system32\_000097_.tmp.dll
2009-05-25 03:01 706,048 -------- c:\windows2\system32\_000096_.tmp.dll
2009-05-25 03:01 108,544 -------- c:\windows2\system32\_000094_.tmp.dll
2009-05-24 05:14 728,064 -------- c:\windows2\system32\_000095_.tmp.dll
2009-05-24 05:14 706,048 -------- c:\windows2\system32\_000085_.tmp.dll
2009-05-24 05:14 108,544 -------- c:\windows2\system32\_000081_.tmp.dll
2009-05-23 23:10 374,272 a--sh--- c:\windows2\system32\32.tmp
2009-05-23 03:00 728,064 -------- c:\windows2\system32\_000074_.tmp.dll
2009-05-23 03:00 706,048 -------- c:\windows2\system32\_000061_.tmp.dll
2009-05-23 03:00 108,544 -------- c:\windows2\system32\_000060_.tmp.dll
2009-05-22 03:00 728,064 -------- c:\windows2\system32\_000092_.tmp.dll
2009-05-22 03:00 706,048 -------- c:\windows2\system32\_000091_.tmp.dll
2009-05-22 03:00 108,544 -------- c:\windows2\system32\_000080_.tmp.dll
2009-05-21 23:10 374,272 a--sh--- c:\windows2\system32\2A.tmp
2009-05-21 03:01 728,064 -------- c:\windows2\system32\_000089_.tmp.dll
2009-05-21 03:01 706,048 -------- c:\windows2\system32\_000088_.tmp.dll
2009-05-21 03:01 108,544 -------- c:\windows2\system32\_000087_.tmp.dll
2009-05-20 21:49 27,648 a------- c:\windows2\system32\__c0094B1.dat
2009-05-20 10:38 27,648 a------- c:\windows2\system32\__c009551.dat
2009-05-20 03:00 728,064 -------- c:\windows2\system32\_000084_.tmp.dll
2009-05-20 03:00 706,048 -------- c:\windows2\system32\_000083_.tmp.dll
2009-05-20 03:00 108,544 -------- c:\windows2\system32\_000082_.tmp.dll
2009-05-19 03:02 728,064 -------- c:\windows2\system32\_000079_.tmp.dll
2009-05-19 03:02 706,048 -------- c:\windows2\system32\_000078_.tmp.dll
2009-05-19 03:02 108,544 -------- c:\windows2\system32\_000047_.tmp.dll
2009-05-18 18:00 27,648 a------- c:\windows2\system32\__c001C84.dat
2009-05-18 03:01 728,064 -------- c:\windows2\system32\_000076_.tmp.dll
2009-05-18 03:01 706,048 -------- c:\windows2\system32\_000075_.tmp.dll
2009-05-18 03:01 108,544 -------- c:\windows2\system32\_000046_.tmp.dll
2009-05-17 03:01 728,064 -------- c:\windows2\system32\_000073_.tmp.dll
2009-05-17 03:01 706,048 -------- c:\windows2\system32\_000072_.tmp.dll
2009-05-17 03:01 108,544 -------- c:\windows2\system32\_000068_.tmp.dll
2009-05-16 03:01 728,064 -------- c:\windows2\system32\_000067_.tmp.dll
2009-05-16 03:01 706,048 -------- c:\windows2\system32\_000066_.tmp.dll
2009-05-16 03:01 108,544 -------- c:\windows2\system32\_000065_.tmp.dll
2009-05-15 03:01 728,064 -------- c:\windows2\system32\_000071_.tmp.dll
2009-05-15 03:01 706,048 -------- c:\windows2\system32\_000070_.tmp.dll
2009-05-15 03:01 108,544 -------- c:\windows2\system32\_000069_.tmp.dll
2009-05-14 03:07 728,064 -------- c:\windows2\system32\_000064_.tmp.dll
2009-05-14 03:07 706,048 -------- c:\windows2\system32\_000063_.tmp.dll
2009-05-14 03:07 108,544 -------- c:\windows2\system32\_000062_.tmp.dll
2009-05-13 03:04 728,064 -------- c:\windows2\system32\_000044_.tmp.dll
2009-05-13 03:04 706,048 -------- c:\windows2\system32\_000043_.tmp.dll
2009-05-13 03:04 108,544 -------- c:\windows2\system32\_000039_.tmp.dll
2009-05-12 03:00 728,064 -------- c:\windows2\system32\_000022_.tmp.dll
2009-05-12 03:00 706,048 -------- c:\windows2\system32\_000021_.tmp.dll
2009-05-12 03:00 108,544 -------- c:\windows2\system32\_000020_.tmp.dll
2009-05-11 03:00 728,064 -------- c:\windows2\system32\_000059_.tmp.dll
2009-05-11 03:00 706,048 -------- c:\windows2\system32\_000058_.tmp.dll
2009-05-11 03:00 108,544 -------- c:\windows2\system32\_000057_.tmp.dll

==================== Find3M ====================

2009-06-09 03:09 27,648 a------- c:\windows2\system32\__c00E990.dat
2009-06-07 18:13 516 a------- C:\xcrashdump.dat
2009-06-06 05:11 2,293 a--sh--- c:\windows2\system32\GroupPolicy000.dat
2009-05-24 17:51 23,552 a--sh--- c:\windows2\system32\autochk.dll
2009-05-07 18:32 374,272 a--sh--- c:\windows2\system32\AD.tmp
2009-05-06 02:10 374,272 a--sh--- c:\windows2\system32\17.tmp
2009-04-29 20:20 374,272 a--sh--- c:\windows2\system32\24.tmp
2009-04-27 06:45 374,272 a--sh--- c:\windows2\system32\47.tmp
2009-04-25 11:24 374,272 a--sh--- c:\windows2\system32\10.tmp
2009-04-24 14:22 374,272 a--sh--- c:\windows2\system32\36.tmp
2009-04-22 22:18 374,272 a--sh--- c:\windows2\system32\23.tmp
2009-04-19 14:52 94,208 a--sh--- c:\windows2\system32\63.tmp
2009-04-17 22:23 1,562 a------- c:\windows2\ejehudafu.dll
2009-04-17 21:21 1,562 a------- c:\windows2\ebeyiviyifani.dll
2009-04-17 20:20 1,562 a------- c:\windows2\adikexaquvet.dll
2009-04-17 19:18 1,562 a------- c:\windows2\imeqodadujodivo.dll
2009-04-17 18:18 1,546 a------- c:\windows2\ocesarevegubelix.dll
2009-04-17 17:09 1,562 a------- c:\windows2\imocivireba.dll
2009-04-17 16:17 1,618 a------- c:\windows2\prpswlpn.dll
2009-04-17 16:07 1,562 a------- c:\windows2\isimeqaguvimupa.dll
2009-04-17 14:41 1,562 a------- c:\windows2\uxofenifijorece.dll
2009-04-17 13:39 1,562 a------- c:\windows2\obufijor.dll
2009-04-17 12:37 1,562 a------- c:\windows2\iraruzon.dll
2009-04-17 11:35 1,562 a------- c:\windows2\oyojiceci.dll
2009-04-17 10:33 1,562 a------- c:\windows2\uqepehukuhoxajed.dll
2009-04-17 09:31 1,562 a------- c:\windows2\imapihax.dll
2009-04-17 09:30 1,568 a------- c:\windows2\jsckbdiz.dll
2009-04-17 08:29 1,561 a------- c:\windows2\izukovuviyaki.dll
2009-04-16 23:24 1,561 a------- c:\windows2\olurilup.dll
2009-04-16 22:22 1,561 a------- c:\windows2\upubabab.dll
2009-04-16 21:30 1,617 a------- c:\windows2\macasven.dll
2009-04-16 21:20 1,561 a------- c:\windows2\ahahalevetecofir.dll
2009-04-16 21:07 1,567 a------- c:\windows2\ELontip2.dll
2009-04-15 13:24 90,112 a------- c:\windows2\system32\dpl100.dll
2009-04-15 13:24 823,296 a------- c:\windows2\system32\divx_xx0c.dll
2009-04-15 13:24 823,296 a------- c:\windows2\system32\divx_xx07.dll
2009-04-15 13:24 815,104 a------- c:\windows2\system32\divx_xx0a.dll
2009-04-15 13:24 802,816 a------- c:\windows2\system32\divx_xx11.dll
2009-04-15 13:24 684,032 a------- c:\windows2\system32\DivX.dll
2009-04-14 21:45 374,272 a--sh--- c:\windows2\system32\58.tmp
2009-04-13 18:20 364,544 a--sh--- c:\windows2\system32\9F.tmp
2009-04-13 09:51 374,272 a--sh--- c:\windows2\system32\9A.tmp
2009-04-12 21:15 374,272 a--sh--- c:\windows2\system32\4F.tmp
2009-04-12 00:32 123,936 a------- c:\windows2\system32\__c00CB2CA.exe
2009-04-12 00:01 139,264 a------- c:\windows2\system32\d3dx10_3332.dll
2009-03-18 00:33 3,727,720 a------- c:\windows2\system32\d3dx9_35.dll

============= FINISH: 20:52:27.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Moody550

Moody550
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 12 June 2009 - 06:50 PM

Bump

Hello Moody550,

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 14 June 2009 - 08:18 AM.


#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 18 June 2009 - 11:16 PM

Hello Moody550,

Sorry for the delay.
If you still need help then please post a fresh DDS scan so I can see if anything has changed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:17 AM

Posted 25 June 2009 - 11:56 PM

This thread will now be closed due to lack of feedback.

Edited by SifuMike, 25 June 2009 - 11:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users