• Total Posts: 28023
  • Total Topics: 8050
  • Online Today: 689
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Virtumonde!  (Read 8364 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Member
  • **
  • Posts: 10
  • KARMA: 1
« on: 01. December 2008., 19:09:20 »
So for the first time since 2006 I've been infected with a trojan. I ran Spybot, which found seven infected registry keys, three under the title "Virtumonde" and four infected under "Virtumonde.dll".

I closed the browsers and explorer and let Spybot do it's work, which it did well. Unfortunately, when I hard rebooted, the files were reinstalled. Apparently either Explorer or WinLogon, from what I've read, is infected as well.

I came to the pros in need of help. Too many ads!

Samker's Computer Forum -

« on: 01. December 2008., 19:09:20 »


  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Virtumonde!
« Reply #1 on: 01. December 2008., 19:50:55 »
Hi jdykstra and Welcome to SCF Portal.

Don't worry we will help you to clean this. Please follow next instruction se we can do that son as possible:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan:,734.0.html

3. Download & run HijackThis:,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan

I'll wait your reply (with logs).




  • SCF Member
  • **
  • Posts: 10
  • KARMA: 1
Re: Virtumonde!
« Reply #2 on: 02. December 2008., 01:10:02 »
The AntiVirus Online Scan closed every time I tried to open it. Something fishy going on there.


  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Virtumonde!
« Reply #3 on: 02. December 2008., 05:17:17 »
Hi again J.

I'll check your logs.

Untill that, please try to make scan with any other Antvirus Scan. Start with Bitdefender.  ;)

For good cleaning results we need that also. If you doesn't sucess we will continue with't them but it will be litle slower.

cya later,



  • SCF Member
  • **
  • Posts: 10
  • KARMA: 1
Re: Virtumonde!
« Reply #4 on: 03. December 2008., 04:34:11 »


  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Virtumonde!
« Reply #5 on: 03. December 2008., 05:17:51 »
Hi jdykstra.

I just notice that this log isn't complete??

Anyway Kaspersky is find one type of infection so that is enough for the start of cleaning.

Soon I'll send you new instruction.




  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Virtumonde!
« Reply #6 on: 03. December 2008., 07:38:45 »
jdykstra, let we also start with cleaning:

1. Turn of System Restore (this is most important).
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Update your AVG AntiVirus.

3. Update your Spybot S&D

3. Restart your PC and run again in Safe Mode. Instruction:
To start the computer in safe mode
You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.

Click Start and then click Shut Down.

In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.

As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.

Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.

If Windows launches before you can choose a safe mode, restart your computer and try again.

In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). You can choose the Safe Mode with Networking option, which loads all of the above files and drivers and the essential services and drivers to start networking, or you can choose the Safe Mode with Command Prompt option, which is exactly the same as safe mode except that a command prompt is started instead of the graphical user interface. You can also choose Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.

NUM LOCK must be off before the arrow keys on the numeric keypad will function.

4. Run Full Scan - AVG AntiVirus

4. Run again Full Scan - Spybot S&D

5. After that again Kaspersky Online Scan

6. After that HijackThis (it's important to before running HJT turn of all possible programs)

7. Provide us log from both (Kaspersky and HJT)

I'll be waiting your next reply. 




  • SCF Member
  • **
  • Posts: 10
  • KARMA: 1
Wednesday, December 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Wednesday, December 10, 2008 21:03:38
Records in database: 1450448
Scan settings
Scan using the following database    extended
Scan archives    yes
Scan mail databases    yes
Scan area    My Computer
Scan statistics
Files scanned    154266
Threat name    4
Infected objects    143

Suspicious objects    0
Duration of the scan    03:07:51

File name    Threat name    Threats count
C:\WINDOWS\system32\opnkkhgd.dll/C:\WINDOWS\system32\opnkkhgd.dll   Infected: Trojan-Downloader.Win32.Agent.atga   3   
C:\WINDOWS\system32\gaynbi.dll/C:\WINDOWS\system32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\system32\rcywjf.dll/C:\WINDOWS\system32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\system32\zauhck.dll/C:\WINDOWS\system32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\System32\gaynbi.dll/C:\WINDOWS\System32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\System32\rcywjf.dll/C:\WINDOWS\System32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\System32\zauhck.dll/C:\WINDOWS\System32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\gaynbi.dll/C:\WINDOWS\SYSTEM32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\rcywjf.dll/C:\WINDOWS\SYSTEM32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\zauhck.dll/C:\WINDOWS\SYSTEM32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\Program Files\mIRC\backups\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1   
C:\WINDOWS\system32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\loljhtel.dll   Infected: Trojan.Win32.Monder.aaxp   1   
C:\WINDOWS\system32\opnkkhgd.dll   Infected: Trojan-Downloader.Win32.Agent.atga   1   
C:\WINDOWS\system32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\rxacqove.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\scjsgtpc.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\scxcjtrg.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\xbvgnmtd.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\yvkakwch.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zpvvre.dll   Infected: Trojan.Win32.Monder.aaxp   1   
C:\WINDOWS\system32\zslgsn.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zworpw.dll   Infected: Trojan.Win32.Monder.abke   1
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:33 PM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\John Dykstra\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [lifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Atomic Email Hunter - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\John Dykstra\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) -
O20 - AppInit_DLLs: gaynbi.dll rcywjf.dll zauhck.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cs2hrtmstwap - HP - C:\WINDOWS\system32\drivers\HPZipr12.sys
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 9502 bytes


  • SCF Administrator
  • *****
  • Posts: 7151
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Hi again, J.

You can see now, we have here at least two trojan... :police:

Before next instruction, I need one information: Did you make this logs before or after my last instruction: "turn off system restore", "run in Safe Mode"... ??

I need that info. just to see did AVG & Spybot already clean some things?

In case that you miss last instruction please turn back to them, finish them and provide us new logs.

Regards and don't worry we will clean this.  :bih:



  • SCF Member
  • **
  • Posts: 10
  • KARMA: 1
Re: Virtumonde!
« Reply #9 on: 11. December 2008., 19:36:40 »
Unfortunately, I followed your directions twice, and they still couldn't get rid of these viruses!


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising