Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
3 replies to this topic

#1 skow69

skow69

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 15 September 2010 - 01:33 PM

Last week the command menu dissapeared off of TaskManager. 2 days ago I ran a scan with Spybot S and D. Spybot reported an error regarding Virtumonde. At the same time the command menu reappeared on Task Manager. I came to bleepingcomputer and followed the instructions for removing vundo using Malwarebytes' Anti-Malwatre. It found and removed 5 related files. It also reported an error: CANNOT OPEN WINDOWS/system32/secupdc.dll. Last night a bogus looking dialog box popped up saying that my updates were almost complete and the computer would restart in 45 minutes. I ran Spybot again. It took the usual amount of time and counted off the usual number of files, but for 90% of the scan it reported that it was working on Virtumonde.sdn or Virtumonde.sci. I kept hitting the RESTART LATER button on the bogus dialog box while I gathered the info for this post. On the last step, while I weas waiting for gmer to finish, it went BSOD. I rebooted and here we are.

Thanks for the help.



DDS (Ver_10-03-17.01) - NTFSx86
Run by vfgtuj at 4:40:19.88 on Wed 09/15/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.396 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TweakNow PowerPack 2009\Module32\RAM2_XP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Perfect Alarm Clock\Alarm.exe
C:\Program Files\Perfect Alarm Clock\Alarm.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\WhatsRunning\WhatsRunning.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\vfgtuj\Desktop\Defogger.exe
C:\Documents and Settings\vfgtuj\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=AVBR
uSearch Page = hxxp://www.bing.com/?pc=AVBR
uSearch Bar =
mLocal Page =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant =
BHO: Disabled:{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - No File
BHO: Disabled:{53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Disabled:{F156768E-81EF-470C-9057-481BA8380DBA} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RAM Idle Professional] c:\program files\tweaknow powerpack 2009\module32\RAM2_XP.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} -
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/ocis/OSInfo.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {16095503-786F-4097-AED6-5D567A26D760} - hxxp://www.sis.com/ocis/SiSAutodetectNT.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1010131284848
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1010131273802
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2002-1-3 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2002-1-3 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2002-1-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2002-1-3 267432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-14 136176]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\postgresql\8.3\bin\pg_ctl.exe" runservice -w -n "pgsql-8.3" -d "c:\program files\postgresql\8.3\data\" --> c:\program files\postgresql\8.3\bin\pg_ctl.exe [?]

=============== Created Last 30 ================

2010-09-15 11:38:41 0 ----a-w- c:\documents and settings\vfgtuj\defogger_reenable
2010-09-15 02:08:43 58880 ----a-w- c:\windows\system32\SET2CB.tmp
2010-09-15 02:08:37 293376 ----a-w- c:\windows\system32\SET2C7.tmp
2010-09-15 02:08:30 590848 ----a-w- c:\windows\system32\SET2C1.tmp
2010-09-15 02:08:30 5120 ------w- c:\windows\system32\SET2C2.tmp
2010-09-15 02:08:22 406016 ----a-w- c:\windows\system32\SET2A4.tmp
2010-09-13 23:25:34 0 d-----w- c:\docume~1\vfgtuj\applic~1\Malwarebytes
2010-09-13 23:24:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 23:24:41 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-13 23:24:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 23:24:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 22:41:09 0 dc----w- C:\VundoFix Backups
2010-09-13 21:34:58 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2010-09-13 21:34:53 0 d-----w- c:\program files\MozyHome
2010-09-04 23:44:05 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-04 23:44:05 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-04 23:44:04 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-04 23:44:03 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-04 23:44:03 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-04 23:42:59 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-09-04 23:41:58 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-09-04 23:40:59 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2010-09-04 23:39:53 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-09-04 23:38:59 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-09-04 23:37:48 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-09-04 23:36:58 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2010-09-04 23:35:59 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2010-09-04 23:34:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-09-04 23:33:59 26880 -c--a-w- c:\windows\system32\dllcache\atirtsnd.sys
2010-09-03 19:25:38 0 d-----w- c:\docume~1\vfgtuj\applic~1\Steinberg

==================== Find3M ====================

2010-08-04 07:58:23 102400 --sha-r- c:\windows\system32\secupdc.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:16:21 841216 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:16:20 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:16:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-03-26 21:00:57 65015 ----a-w- c:\program files\hminstalllog.txt
2010-03-22 17:28:10 165 ----a-w- c:\program files\gg.ini
2005-05-15 21:38:48 966144 ----a-w- c:\program files\gg.exe
2010-02-04 00:58:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020420100205\index.dat

============= FINISH: 4:41:05.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:58 AM

Posted 22 September 2010 - 01:19 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


1. Rerun DDS and post the fresh DDS and Attach.txt logs in your next post/reply.


2. Delete GMER.exe, then follow the instructions below:

Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:58 AM

Posted 25 September 2010 - 11:48 AM

skow69? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:58 AM

Posted 28 September 2010 - 02:10 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users