Jump to content

Virtumonde.prx virus


Recommended Posts

I need help in getting this virus off my PC. Logs from MBAM scan, Active Scan and Hijack this are attached. I appreciate your help.

Malwarebytes' Anti-Malware 1.31

Database version: 1534

Windows 5.1.2600 Service Pack 3

12/22/2008 9:35:10 PM

mbam-log-2008-12-22 (21-35-10).txt

Scan type: Quick Scan

Objects scanned: 51762

Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 12

Registry Values Infected: 8

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\tolataga.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\govezamu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a38add17-a697-45d6-903e-7ddd6140c6b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a38add17-a697-45d6-903e-7ddd6140c6b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a38add17-a697-45d6-903e-7ddd6140c6b5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mezatigugo (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5704733e (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb4917 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd7270 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga5864 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc9606 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tolataga.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tolataga.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tolataga.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\govezamu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\tolataga.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\vevinaho.dll_old (Trojan.Vundo) -> Delete on reboot.

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sedovidu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\leforoju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dehaseha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mulifadu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nivifutu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nukizani.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vetahadu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vofiposa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wiyatuto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kajewetu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kanelewu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\zoripuzo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-22 22:45:21

PROTECTIONS: 1

MALWARE: 19

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Enterprise 8.5.0.781 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00096188 spyware/searchcentrix Spyware No 1 Yes No c:\documents and settings\administrator\favorites\links\hardware search.lnk

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AN9P9KUR\freescan[2].htm

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AN9P9KUR\freescan[1].htm

00519333 Application/Processor HackTools No 0 Yes No C:\Support\Spyware Removal Tools\Vundo\VirtumundoBeGone.exe

01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@enhance[1].txt

01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix\nircmd.cfexe

01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix\nircmd.exe

02883618 Adware/AVSystemCare Adware No 0 Yes No C:\Support\Spyware Removal Tools\HijackThis\backups\backup-20071230-225753-854.dll

02915730 Trj/Rebooter.J Virus/Trojan No 0 Yes No C:\Support\Spyware Removal Tools\SmitFraudFix (Fake Windows Security Warnings)\SmitfraudFix.exe

03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Support\Spyware Removal Tools\SmitFraudFix (Fake Windows Security Warnings)\SmitfraudFix\Reboot.exe

03899005 Generic Malware Virus/Trojan No 0 Yes No C:\ComboFix\ntp.exe

04346858 Generic Trojan Virus/Trojan No 0 Yes No C:\ComboFix\catchme.cfexe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location Ne

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\system32\bkpxygbv.dll.bak Ne

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description Ne

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of HijackThis v1.99.1

Scan saved at 10:57:39 PM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\gearsec.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Support\Spyware Removal Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229606127593

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O20 - AppInit_DLLs: c:\windows\system32\fahapera.dll c:\windows\system32\ronogiga.dll c:\windows\system32\vevinaho.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.