Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumonde rootkit infection

  • This topic is locked This topic is locked
3 replies to this topic

#1 JaneAusten


  • Members
  • 1 posts
  • Local time:04:03 PM

Posted 11 January 2010 - 08:32 PM

Over the last couple of days, many new and strange things are happening with this computer. It will not recognize USB devices (Logitech NX80 mouse, flash drives, wireless notebook card, etc.); web pages open spontaneously; speed is slowing. Webroot was finding Virtumonde but not deleting it; Spybot found it and appeared to delete it. Something is wrong. Thanks for helping me.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Roy Waller at 20:14:03.44 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.428 [GMT -5:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot AntiVirus with Spy Sweeper *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Roy Waller\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
dRunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi"
dRunOnce: [supportdir] cmd /c "rmdir /q /s "c:\windows\temp\{DC78AACC-D3E4-4D92-95E8-42AFD802B8DB}""
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: runaware.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} - hxxp://centricity.technicare-consulting.com/ami/install/amiconference.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234199208695
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234198700043
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15023/CTPID.cab
DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} - hxxp://centricity.technicare-consulting.com/ami/install/amiviewer.cab
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://d:\cdviewer\CdViewer.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: rinuleho.dll c:\windows\system32\fivuvujo.dll
SSODL: nunazodad - {af083c19-c1db-4bb5-85f0-a2b85423472a} - c:\windows\system32\fivuvujo.dll
STS: kupuhivus: {af083c19-c1db-4bb5-85f0-a2b85423472a} - c:\windows\system32\fivuvujo.dll
LSA: Notification Packages = scecli psqlpwd fonijana.dll

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-12-21 6912]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-2-6 16384]
R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [2004-8-11 143360]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\nikon\wireless camera setup utility\NkPtpEnum.exe [2005-6-17 24064]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-4-25 3456]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-22 1201640]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2005-6-17 17664]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\system32\drivers\USB100M.SYS [2006-2-1 27519]

=============== Created Last 30 ================

2010-01-11 23:42:06 0 d-----w- c:\program files\Trend Micro
2010-01-11 18:38:09 0 d-----w- c:\program files\CCleaner
2010-01-10 23:13:43 0 d-----w- c:\docume~1\roywal~1\applic~1\Malwarebytes
2010-01-10 23:13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 23:13:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 23:13:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-10 23:13:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 22:08:39 3255 ----a-w- c:\windows\system32\wbem\Outlook_01ca8fe5f7647fd0.mof
2010-01-07 14:35:36 0 d-sh--w- c:\documents and settings\roy waller\PrivacIE
2010-01-07 14:28:32 0 d-sh--w- c:\documents and settings\roy waller\IETldCache
2010-01-07 14:10:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-07 14:10:20 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-07 14:10:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-07 14:10:20 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-07 14:10:19 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-07 14:10:17 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-07 14:10:06 0 d-----w- c:\windows\ie8updates
2010-01-07 14:09:24 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-07 14:07:14 0 dc-h--w- c:\windows\ie8
2010-01-07 03:32:53 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-11-06 20:19:42 1563008 ----a-w- c:\windows\WRSetup.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 20:14:41.16 ===============

Attached Files

BC AdBot (Login to Remove)


#2 aommaster


    I !<3 malware

  • Malware Response Team
  • 5,289 posts
  • Gender:Male
  • Location:Dubai
  • Local time:01:03 AM

Posted 17 January 2010 - 01:18 PM

Hello, JaneAusten.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.


Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 aommaster


    I !<3 malware

  • Malware Response Team
  • 5,289 posts
  • Gender:Male
  • Location:Dubai
  • Local time:01:03 AM

Posted 20 January 2010 - 12:38 PM

Hello JaneAusten
Are you still with us?

My website: http://aommaster.com
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#4 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:03 PM

Posted 22 January 2010 - 04:25 PM

This thread will now be closed due to lack of activity.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users