Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

need help terminating virtumond trojan [RESOLVED]

Started by melinate , Mar 06 2008 05:08 PM

  • This topic is locked This topic is locked

#1
melinate
Posted 06 March 2008 - 05:08 PM

melinate

    New Member

  • Member
  • Pip
  • 2 posts
Howdy folks,

I'm working on my brother-in-laws previously IT neglected laptop and I've made some progress cleaning things up, but there seems to be some issues that require more than my level of experience.

This is a Windows XP SP2 system that had badly outdated virus software, no firewall and no anti-spyware installed. I have added Sophos AV, SpyBot S&D and before posting I added & ran AVG Anit-Virus, DSS, HijackThis, & Panda Activescan. Let me know if you need any more information.

Any help is appreciated...

Thanks
Nathan

----

Panda Activescan:

Incident Status Location

Spyware:Spyware/Vundo Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\acspxcuv.dll
Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\Cookies\edward palacios@belnk[2].txt
Spyware:Cookie/Dashbar Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\Cookies\edward [email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Edward Palacios\Cookies\edward__palacios@doubleclick[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Elsa Palacios\Local Settings\Temp\wfwtiemd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Elsa Palacios\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\hwo20071222[1]
Spyware:Cookie/Dashbar Not disinfected C:\Documents and Settings\LocalService\Cookies\edward [email protected][2].txt
Possible Virus. Not disinfected C:\Program Files\FaxTools\Install\Setup.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\Setup.exe
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-2963747139-907337274-3928304420-500\Dc1.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\aeimjfav.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bkfskaqg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bmuexadk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\btxfbtiv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cegahlgv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cqoukcoc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cqqpmqog.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cvjisemt.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\dnsfcmvl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\dovtfnar.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\duibphbw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ebwkjtmn.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\ehswpvul.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\eydahhqb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gdgbhcig.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gkmjgfwu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\glknmmml.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hjjksbux.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hucpjxot.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ihxbjbel.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\iscecnxs.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\itwqgldr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jdpatbqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jphyonty.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\klgpfdxw.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\kqhnnlyk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\lttegqne.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\nitxwcfn.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\ovkiawwn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pckrsqan.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pmsfekyk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pqjamgqs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pqkygcob.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qaaxsamy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qvqmpygo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\scqhyfud.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sfswhywc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sjweuqap.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\smdjrjfa.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sxljqkdc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\syyhysfv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\tlacbuvx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ukkncffa.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ulolyunw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\utnsdqpf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vaiqwvbg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vgjfgxba.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wrwvqkxc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wtjvqdby.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\xflouplx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\xqlhrewb.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\xrcheqgp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\yuxggofu.dll


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:03 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: {22364e79-f962-3788-6ae4-b870cbeb4ad5} - {5da4bebc-078b-4ea6-8873-269f97e46322} - C:\WINDOWS\system32\wrwvqkxc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://images.foodne...ages/spacer.gif

--
End of file - 6933 bytes


  • 0

Advertisements

#2
melinate
Posted 07 March 2008 - 10:56 PM

melinate

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks to anyone who looked at this. I think I figured out why no one could help me. It appears that I have cleaned up all active malware, but what was reported was remnants of virtumonde that was already removed.

Thanks again
Nathan
  • 0

#3
Rorschach112
Posted 08 March 2008 - 06:31 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP