Topic: Virtumonde!

[jdykstra]

So for the first time since 2006 I've been infected with a trojan. I ran Spybot, which found seven infected registry keys, three under the title "Virtumonde" and four infected under "Virtumonde.dll".

I closed the browsers and explorer and let Spybot do it's work, which it did well. Unfortunately, when I hard rebooted, the files were reinstalled. Apparently either Explorer or WinLogon, from what I've read, is infected as well.

I came to the pros in need of help. Too many ads!

[Samker]

Hi jdykstra and Welcome to SCF Portal.

Don't worry we will help you to clean this. Please follow next instruction se we can do that son as possible:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan


I'll wait your reply (with logs).

Regards,

Samker

[jdykstra]

The AntiVirus Online Scan closed every time I tried to open it. Something fishy going on there.

[Samker]

Hi again J.

I'll check your logs.

Untill that, please try to make scan with any other Antvirus Scan. Start with Bitdefender. 

For good cleaning results we need that also. If you doesn't sucess we will continue with't them but it will be litle slower.

cya later,

S.

[jdykstra]

..

[Samker]

Hi jdykstra.

I just notice that this log isn't complete??

Anyway Kaspersky is find one type of infection so that is enough for the start of cleaning.

Soon I'll send you new instruction.

Regards,

S.

[Samker]

jdykstra, let we also start with cleaning:

1. Turn of System Restore (this is most important).

Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Update your AVG AntiVirus.

3. Update your Spybot S&D

3. Restart your PC and run again in Safe Mode. Instruction:

To start the computer in safe mode
1.
You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.

2.
Click Start and then click Shut Down.

3.
In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.

4.
As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.

5.
Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

6.
If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.


Note•
If Windows launches before you can choose a safe mode, restart your computer and try again.
•
In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). You can choose the Safe Mode with Networking option, which loads all of the above files and drivers and the essential services and drivers to start networking, or you can choose the Safe Mode with Command Prompt option, which is exactly the same as safe mode except that a command prompt is started instead of the graphical user interface. You can also choose Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.
•
Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.
•
There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.
•
NUM LOCK must be off before the arrow keys on the numeric keypad will function.

4. Run Full Scan - AVG AntiVirus

4. Run again Full Scan - Spybot S&D

5. After that again Kaspersky Online Scan

6. After that HijackThis (it's important to before running HJT turn of all possible programs)

7. Provide us log from both (Kaspersky and HJT)


I'll be waiting your next reply. 


Regards,

Samker

[jdykstra]

Wednesday, December 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 10, 2008 21:03:38
Records in database: 1450448
Scan settings
Scan using the following database    extended
Scan archives    yes
Scan mail databases    yes
Scan area    My Computer
C:\
D:\
F:\
G:\
H:\
Scan statistics
Files scanned    154266
Threat name    4
Infected objects    143
Suspicious objects    0
Duration of the scan    03:07:51

File name    Threat name    Threats count
C:\WINDOWS\system32\opnkkhgd.dll/C:\WINDOWS\system32\opnkkhgd.dll   Infected: Trojan-Downloader.Win32.Agent.atga   3   
C:\WINDOWS\system32\gaynbi.dll/C:\WINDOWS\system32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\system32\rcywjf.dll/C:\WINDOWS\system32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\system32\zauhck.dll/C:\WINDOWS\system32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   40   
C:\WINDOWS\System32\gaynbi.dll/C:\WINDOWS\System32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\System32\rcywjf.dll/C:\WINDOWS\System32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\System32\zauhck.dll/C:\WINDOWS\System32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\gaynbi.dll/C:\WINDOWS\SYSTEM32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\rcywjf.dll/C:\WINDOWS\SYSTEM32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\SYSTEM32\zauhck.dll/C:\WINDOWS\SYSTEM32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\Program Files\mIRC\backups\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1   
C:\WINDOWS\system32\gaynbi.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\loljhtel.dll   Infected: Trojan.Win32.Monder.aaxp   1   
C:\WINDOWS\system32\opnkkhgd.dll   Infected: Trojan-Downloader.Win32.Agent.atga   1   
C:\WINDOWS\system32\rcywjf.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\rxacqove.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\scjsgtpc.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\scxcjtrg.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\xbvgnmtd.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\yvkakwch.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zauhck.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zpvvre.dll   Infected: Trojan.Win32.Monder.aaxp   1   
C:\WINDOWS\system32\zslgsn.dll   Infected: Trojan.Win32.Monder.abke   1   
C:\WINDOWS\system32\zworpw.dll   Infected: Trojan.Win32.Monder.abke   1   
The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:33 PM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\John Dykstra\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [lifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Atomic Email Hunter - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\John Dykstra\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://kungfuchess.com/activex/web665.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: gaynbi.dll rcywjf.dll zauhck.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cs2hrtmstwap - HP - C:\WINDOWS\system32\drivers\HPZipr12.sys
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9502 bytes

[Samker]

Hi again, J.

You can see now, we have here at least two trojan...

Before next instruction, I need one information: Did you make this logs before or after my last instruction: "turn off system restore", "run in Safe Mode"... ??

I need that info. just to see did AVG & Spybot already clean some things?

In case that you miss last instruction please turn back to them, finish them and provide us new logs.

Regards and don't worry we will clean this. 

Samker

[jdykstra]

Unfortunately, I followed your directions twice, and they still couldn't get rid of these viruses!