virtumonde

[riderryuken]

We have a MAC computer at the office that runs windows xp through Parallels. Spybot runs and has shown that the window side has had virtumonde even though it has run a few times and supposedly deleted it. Any tips on getting rid of this or at least getting malwarebytes to work would be appreciated. I tried copying the .exe file from another computer and renaming it, but I got error 703 (0, 453). Twice I got malwarebytes to actually install, but as soon as I hit scan it would shut down and then give me errors when I tried to open it again. Here is the hijackthis file.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:41:43 AM, on 10/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINNT\system32\basfipm.exe

C:\Program Files\SQLLIB\bin\db2jds.exe

C:\Program Files\SQLLIB\bin\db2sec.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe

C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe

C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe

C:\Program Files\Parallels\Parallels Tools\prl_cc.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\PROGRA~1\IBM\IMNNQ\HTTPDL.exe

C:\PROGRA~1\IBM\IMNNQ\imnsvdem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Parallels Shared Internet Applications] "C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" /start

O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"

O4 - HKLM\..\Run: [wifedosan] Rundll32.exe "c:\winnt\system32\sosilavu.dll",a

O4 - HKLM\..\RunOnce: [spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [spybotDeletingA1988] command.com /c del "C:\WINNT\SYSTEM32\yiyidaju.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC4512] cmd.exe /c del "C:\WINNT\SYSTEM32\yiyidaju.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA545] command.com /c del "C:\WINNT\SYSTEM32\neremije.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC4065] cmd.exe /c del "C:\WINNT\SYSTEM32\neremije.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingA3105] command.com /c del "C:\WINNT\SYSTEM32\wokozupi.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC4392] cmd.exe /c del "C:\WINNT\SYSTEM32\wokozupi.dll_old"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [spybotDeletingA3754] command.com /c del "C:\WINNT\SYSTEM32\jegulufo.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC4847] cmd.exe /c del "C:\WINNT\SYSTEM32\jegulufo.dll_old"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [spybotDeletingB3556] command.com /c del "C:\WINNT\SYSTEM32\yiyidaju.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD3368] cmd.exe /c del "C:\WINNT\SYSTEM32\yiyidaju.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB9265] command.com /c del "C:\WINNT\SYSTEM32\neremije.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD3154] cmd.exe /c del "C:\WINNT\SYSTEM32\neremije.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB8696] command.com /c del "C:\WINNT\SYSTEM32\wokozupi.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD744] cmd.exe /c del "C:\WINNT\SYSTEM32\wokozupi.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingB9639] command.com /c del "C:\WINNT\SYSTEM32\jegulufo.dll_old"

O4 - HKCU\..\RunOnce: [spybotDeletingD515] cmd.exe /c del "C:\WINNT\SYSTEM32\jegulufo.dll_old"

O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\schedupd.exe

O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlc.ops.placeware.com/etc/place/...quicksilver.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = itsconnect.com

O17 - HKLM\Software\..\Telephony: DomainName = itsconnect.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE6A500E-99EB-46B2-8230-AD465DE3BC53}: NameServer = 192.168.0.60

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = itsconnect.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = itsconnect.com

O20 - AppInit_DLLs: stem32\latuyotu.dll neremije.dll c:\winnt\system32\ c:\winnt\system32\sosilavu.dll

O21 - SSODL: dowugibuz - {9ec42bd0-2fe3-4f68-9637-9ecded16f7fb} - c:\winnt\system32\latuyotu.dll (file missing)

O21 - SSODL: kayakarod - {a61b4ca3-b40f-4412-a487-e75b47b310d5} - c:\winnt\system32\sosilavu.dll

O22 - SharedTaskScheduler: jugezatag - {9ec42bd0-2fe3-4f68-9637-9ecded16f7fb} - c:\winnt\system32\latuyotu.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {a61b4ca3-b40f-4412-a487-e75b47b310d5} - c:\winnt\system32\sosilavu.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe

O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - C:\Program Files\SQLLIB\bin\db2ccs.exe

O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe

O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: Parallels Coherence Service - Parallels, Inc. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe

O23 - Service: Parallels Tools Service - Parallels, Inc. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe

--

End of file - 11092 bytes

[riderryuken]

update:

I tried following this thread to see if it would work

http://www.malwarebytes.org/forums/index.php?showtopic=12709

but when I try to install the RootRepeal program the system locks up.

[riderryuken]

Update:

My boss deleted anything unnecessary out of the auto run. Uninstalled Malware and then reinstalled it and changed the exe file. It worked and he was able to clear out the files. Later I ran malware again and found nothing, but spybot still found one virtumonde file. I have yet to run it again today.

Any help would be appreciated.