Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde.dll Trojan


  • This topic is locked This topic is locked

#1
rob9095

rob9095

    New Member

  • Member
  • Pip
  • 5 posts
Hey there I have an issue with my desktop computer thats running windows vista. I have virtumonde trojan and spybot can't seem to delete it. Also I cannot log onto my computer in normal mode, only in safe mode. When I try to log on in normal mode I get this "error 0xC0000022 Access Denied, A process has requested access to an object, but has not bee granted those access rights." I can post my hijhjack this log that i ran in safemode if that can help. Also my netgear wireless adapter just failed to work when I got the virus and I can't seem to get that working again either, is it possible the virus ruined it or something?
If anybody can help me that would be awesome and thank you very much

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:08:24 AM, on 4/24/2011

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18602)

Boot mode: Safe mode



Running processes:

C:\Windows\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56283

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll

O2 - BHO: ooVoo Toolbar - {59c6f12b-f004-43e5-9997-08f2123119b6} - C:\Program Files\oovootoolbar\oovootoolbarX.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files\TVersitybar\tbTVer.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo1.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo1.dll

O3 - Toolbar: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files\TVersitybar\tbTVer.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: ooVoo Toolbar - {59c6f12b-f004-43e5-9997-08f2123119b6} - C:\Program Files\oovootoolbar\oovootoolbarX.dll

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

O4 - HKLM\..\Run: [conhost] C:\Users\Rob\AppData\Roaming\Microsoft\conhost.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe

O4 - HKLM\..\RunOnce: [SpybotDeletingA5614] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingC9754] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Users\Rob\AppData\Local\Temp\HBCD\SpybotSD\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [SpybotDeletingA69] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingC3699] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingA4148] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingC2496] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingA7986] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingC2090] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingA2096] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKLM\..\RunOnce: [SpybotDeletingC646] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 4] "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"

O4 - HKCU\..\RunOnce: [SpybotDeletingB1919] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingD5539] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingB9302] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingD408] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingB7624] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingD3041] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingB3009] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingD5309] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingB694] command.com /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKCU\..\RunOnce: [SpybotDeletingD8550] cmd.exe /c del "C:\WINDOWS\System32\SubRange6.dll"

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - .DEFAULT User Startup: avzauz.exe (User 'Default user')

O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O13 - Gopher Prefix:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

Edited by rob9095, 24 April 2011 - 01:56 PM.

  • 0

Advertisements


#2
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
:)


Internet Explorer (Windows)
1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.


Firefox (Windows)
1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.




Next:

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this as fixme.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot and describe how your computer behaves at the moment.
  • 0

#3
rob9095

rob9095

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey the fixme.reg fixed my proxy settings that were established by the virus. however i still can not load into normal mode. If there is a registry fix for The DisableSR registry key, I am missing that key and two other unknown ones which I why I think I get the activation error on normal boot. Now I have pretty much diminished the virus but since I have registry errors I am planning on re installing windows. I don't have a recovery disk however I do have the 2.7GB files that are on the disk downloaded to my desktop. I am trying to figure out how to put the files on a SDHC card and then boot from the card. Any suggestions would be greatly appreciated thanks in advance
  • 0

#4
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Lets see if we can fix it.

Click: Start > All Programs> Accessories
Open Notepad, click on Format and uncheck Word Wrap.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")



Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

#5
rob9095

rob9095

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
these instructions look awesome however I can't run combofix while connected to the internet because my computer will only start in safe mode with no networking. thank you very much for the instructions but its a day late and a dollar short. I figured out how to get the windows install files onto my SDHC card and got the computer to boot from it and am re installing windows right now as we speak. thanks for the help everyone but the it looks like the malware won this battle. The virus just better be gone when the re install is finished. If for some reason the reinstall fails I will definitely try out these instructions. ty and pz

Edited by rob9095, 28 April 2011 - 02:00 PM.

  • 0

#6
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
OK :)
  • 0

#7
rob9095

rob9095

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Surprise surprise the installation crashed at the expanding files part of the custom installation. Does anyone know how to fix this? I really hope someone can help thanks!

Edited by rob9095, 28 April 2011 - 08:46 PM.

  • 0

#8
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.


If combofix won't run from the desktop, try running it from the USB device.
  • 0

#9
rob9095

rob9095

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for your response, but I got the installation to work for me(had to unplug all USB connections?) and I'm now posting from my restored computer. thanks for the help but this thread can be closed now, all is well and I'm back online!
  • 0

#10
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Thanks for posting back and letting us know :)

Peace be with you
  • 0

#11
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP