Virtumonde.dll

Discussion in 'Online Security' started by unholy, Apr 2, 2008.

  1. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    virtumonde.dll

    I first noticed this in my Spybot scans about last thursday. I've tried fixing it through Spybot but to no avail... It's probably something really dumb that I'm forgetting to do, but can someone point in me the direction of a fix to eliminate this nuisance??

    I'm running AVG free 7.5
    Windows Firewall behind a router

    The usual spybot scans every two or three days and Ccleaner about every week...

    Now it's starting to use IE popups on me and it's quite aggravating... Help me please?
     
  2. mikeL

    mikeL

    Joined:
    Nov 29, 1999
    Messages:
    1,063
    Location:
    Northeast, Michigan
    Try Super Anti-spyware, and run in safe mode. If running XP or newer turn off system restore before scanning.
    I would also give SmitfraudFix a try
     
    Last edited: Apr 2, 2008
  3. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    662
    Location:
    USA, New Jersey
    Every Windows user that desires to be self sufficient, should have a
    bootable/Live CD containing Linux. My recommendation for this
    emergency purpose is Puppy Linux.

    Anytime you need to delete a file that can't be deleted using Windows or
    Windows applications, you boot to your Linux CD, navigate to the file and
    simply delete it.

    Besides that, if your computer ever gets messed up to the point where
    Windows won't startup or it won't allow you access to the Internet, you
    boot to your Linux CD to quickly determine whether the hardware is
    functioning properly. If your hardware is ok, you will at least have Internet
    access which should be useful for solving your Windows problem.

    ---pete---
     
    Last edited: Apr 2, 2008
  4. rjfvillarosa

    rjfvillarosa Moderator Staff Member

    Joined:
    Sep 15, 2004
    Messages:
    7,561
    Location:
    Cardiff, Wales. UK
    Do not turn off System Restore yet.
    Once you turn off System Restore all your restore points will be gone, this should be done as a last resort.

    Download VundoFix from any of these three sites:
    http://www.softpedia.com/get/Antivirus/VundoFix.shtml
    http://www.softpedia.com/progDownload/VundoFix-Download-33165.html
    http://www.majorgeeks.com/download4954.html


    VundoFix is a removal tool for Virtumonde - aka Winfixer.

    To use Vundofix:
    Download the file and then double-click "VundoFix.exe" to run it.
    Put a check next to "Run VundoFix as a task".
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    When VundoFix re-opens, click the "Scan for Vundo" button.
    Once it's done scanning, click the "Remove Vundo" button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
     
  5. CyberSorcerer

    CyberSorcerer

    Joined:
    Feb 26, 2008
    Messages:
    21
    If your looking to fix the virtumonde.dll here are another set of instructions. I like to make things simple and easy to follow, sorry just me.

    Please download VundoFix to your desktop.
    • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the 'Fix Vundo' button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
     
  6. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:40:21 PM, on 4/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files\Creative\Shared Files\CTSched.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\svho.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\mssvcs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Downloads\HiJackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\xxyvSjhF.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {3C053924-304B-44BD-812E-D5696712329E} - C:\WINDOWS\system32\awtuTnMd.dll (file missing)
    O2 - BHO: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C87A1C1-ADF7-49D7-ACA4-9BAE574BE4EB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {9186E5E1-470C-4479-A8CA-6447B1487CB6} - C:\WINDOWS\system32\opnopqNH.dll (file missing)
    O2 - BHO: (no name) - {971C4700-8CE2-4541-B27C-66658D392009} - C:\WINDOWS\system32\fccdebAT.dll (file missing)
    O2 - BHO: (no name) - {9C624EE8-3A5D-42B3-BE49-3F9291ACAF94} - C:\WINDOWS\system32\efcdCRiJ.dll (file missing)
    O3 - Toolbar: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
    O4 - HKLM\..\Run: [System Service Manager Device] svho.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [BM377015e2] Rundll32.exe "C:\WINDOWS\system32\pqgsqqae.dll",s
    O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
    O4 - HKLM\..\RunServices: [System Service Manager Device] svho.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTSUEng.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191602209968
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191602201109
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
    O20 - Winlogon Notify: xxyvSjhF - C:\WINDOWS\SYSTEM32\xxyvSjhF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9088 bytes

    I apologize for the delay. Thanks in advance!
     
  7. Negeva

    Negeva

    Joined:
    Apr 27, 2005
    Messages:
    537
    Did you run VundoFix before or after that HiJack log? Either way, just had a quick glance at it and these are the only malicious entries I could see:


    Code:
    C:\WINDOWS\system32\svho.exe
    C:\WINDOWS\system32\mssvcs.exe
    The above are a Win32/Rbot worm/trojan, commonly called the mIRC or MSN worm/trojan. Can be used to steal CD keys for games, and since I noticed you have PB installed I'll guess you're a bit of a gamer. More information here: LINK. To be honest surprised AVG hasn't detected and removed it, but then again it can be a pain to remove.

    ACI5 Toolbar is a malicous toolbar which modifies the default IE SearchHook and has some adware/trackware functionality. Remove now.

    The other entries have generic and randomly assigned names, typical of the latest strains of Vundo; and I've been seeing more of them lately.

    Since you have a mixture of malware removal will be a long arduous affair, involving several applications and re-boots. My main concern is the Win32/Rbot as it can be a pain to remove, since it loads itself as a Windows service that sometimes hides itself.

    If you're willing I can provide instructions for the full removal of these infections, but it would be wise if you create a backup of all data and settings before proceeding. If so, post back and we'll begin.
     
  8. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    Yea. I got bugged using mIRC a few weeks ago. It's only begun to escalate in the past week or so...

    And yes I am a bit of a gamer:)

    Just let me know what I need to do if you can.


    Can I use HiJackThis to remove some of these processes or is this not as effective as other methods I have not heard of.
     
    Last edited: Apr 3, 2008
  9. Negeva

    Negeva

    Joined:
    Apr 27, 2005
    Messages:
    537

    Sorry for the delay; family life has a tendency to get in the way.

    We'll concentrate on removing that mIRC virus first, which in your log are the following;
    Code:
    C:\WINDOWS\system32\svho.exe
    C:\WINDOWS\system32\mssvcs.exe
    O4 - HKLM\..\Run: [System Service Manager Device] svho.exe
    First step is to download SDFix. You can find instructions and the download link here: LINK. Please run this in Safe-Mode and read the instructions carefully before proceeding. After running SDFix please post back the log SDFix creates and a fresh HiJackThis log: might be best to attach them so the post isn't ridiculously long.
     
  10. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    Well I think I got part of it... Not entirely sure.
     

    Attached Files:

  11. Negeva

    Negeva

    Joined:
    Apr 27, 2005
    Messages:
    537
    The good news is we've removed most of it, so just a few entries to remove. Run Hijackthis make it fix the followiing;

    Code:
    C:\WINDOWS\system32\mssvcs.exe
    R3 - URLSearchHook: (no name) - {4fdbd65b-4803-46c0-b741-05131ffd0548} - (no file)
    O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\xxyvSjhF.dll
    O2 - BHO: (no name) - {1BD8E3CC-1802-41E3-AB44-0B20EBCCB8E4} - (no file)
    O2 - BHO: (no name) - {3C053924-304B-44BD-812E-D5696712329E} - (no file)
    O2 - BHO: (no name) - {489864D4-BA5D-4FB1-B924-4BCF9ABC0D2F} - (no file)
    O2 - BHO: (no name) - {4fdbd65b-4803-46c0-b741-05131ffd0548} - (no file)
    O2 - BHO: (no name) - {53C982E4-700D-40D6-9B5B-024055A91192} - C:\WINDOWS\system32\yayvVNDV.dll (file missing)
    O2 - BHO: (no name) - {5C87A1C1-ADF7-49D7-ACA4-9BAE574BE4EB} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {9186E5E1-470C-4479-A8CA-6447B1487CB6} - (no file)
    O2 - BHO: (no name) - {971C4700-8CE2-4541-B27C-66658D392009} - (no file)
    O2 - BHO: (no name) - {9C624EE8-3A5D-42B3-BE49-3F9291ACAF94} - (no file)
    O2 - BHO: (no name) - {E56724AB-EE65-454C-B853-502091BB6288} - (no file)
    O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
    4 - HKLM\..\Run: [BM377015e2] Rundll32.exe "C:\WINDOWS\system32\quvwigpt.dll",s
    O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
    O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
    
    Please post back a log. And, it might be useful to run full updated scans with: AVG, Spybot and Superantispyware. Make sure with Spybot you immunize your machine.
     
  12. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    I think I finally got it all!!!

    I had been having some random thing popup whenever I logged into my account...

    Something was using a Private EXE Protector or something from setisoft....

    Those stopped after SuperAntiSpyware was run and I deleted all those browser values that were on my system. Thank you very much!


    here is my last HijackThis log.
     

    Attached Files:

  13. Negeva

    Negeva

    Joined:
    Apr 27, 2005
    Messages:
    537
    Congratulations your machine is clean :)

    Just a tip, you don't need SUPERAntiSpyware (SAS) set to run when Windows loads; enter the program and select 'Preferences' from the main window and untick 'Start SUPERAntiSpyware when Windows loads'.

    The random pop-ups were coming from the Vundo virus you had, SAS has the ability to remove all of it, which it did. Plus, you removed several of the services and .dll files it requires with HiJackThis.

    Just remember to update and immunize your machine with Spybot at least once a week to help protect against known malicious URLs and so on. Keep Windows fully patched. And, don't accept files from strangers; or at least scan them using one of the many free online scanning sites:

    http://virusscan.jotti.org/
    http://www.virustotal.com/
     
    Last edited: Apr 7, 2008
  14. unholy

    unholy

    Joined:
    Mar 17, 2007
    Messages:
    55
    Sweet. Thanks for all the help. All these programs I didn't even know about helped so much.:)

    Thanks everyone!
     
  15. akala

    akala

    Joined:
    Jun 16, 2008
    Messages:
    4
    Here is a log of my hijakthis, pls help
     
    Last edited by a moderator: Jun 16, 2008
  16. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    46,963
    Location:
    Joplin MO

Share This Page