Virtumonde.dll

[unholy]

virtumonde.dll

I first noticed this in my Spybot scans about last thursday. I've tried fixing it through Spybot but to no avail... It's probably something really dumb that I'm forgetting to do, but can someone point in me the direction of a fix to eliminate this nuisance??

I'm running AVG free 7.5
Windows Firewall behind a router

The usual spybot scans every two or three days and Ccleaner about every week...

Now it's starting to use IE popups on me and it's quite aggravating... Help me please?

[mikeL]

Try Super Anti-spyware, and run in safe mode. If running XP or newer turn off system restore before scanning.
I would also give SmitfraudFix a try

[Petef56]

Every Windows user that desires to be self sufficient, should have a
bootable/Live CD containing Linux. My recommendation for this
emergency purpose is Puppy Linux.

Anytime you need to delete a file that can't be deleted using Windows or
Windows applications, you boot to your Linux CD, navigate to the file and
simply delete it.

Besides that, if your computer ever gets messed up to the point where
Windows won't startup or it won't allow you access to the Internet, you
boot to your Linux CD to quickly determine whether the hardware is
functioning properly. If your hardware is ok, you will at least have Internet
access which should be useful for solving your Windows problem.

---pete---

[rjfvillarosa]

Do not turn off System Restore yet.
Once you turn off System Restore all your restore points will be gone, this should be done as a last resort.

Download VundoFix from any of these three sites:
http://www.softpedia.com/get/Antivirus/VundoFix.shtml
http://www.softpedia.com/progDownloa...oad-33165.html
http://www.majorgeeks.com/download4954.html


VundoFix is a removal tool for Virtumonde - aka Winfixer.

To use Vundofix:
Download the file and then double-click "VundoFix.exe" to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the "Scan for Vundo" button.
Once it's done scanning, click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

[CyberSorcerer]

If your looking to fix the virtumonde.dll here are another set of instructions. I like to make things simple and easy to follow, sorry just me.

Please download VundoFix to your desktop.

• Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
• Click the Scan for Vundo button.
• Once it's done scanning, click the 'Fix Vundo' button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

[unholy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:21 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svho.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mssvcs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\xxyvSjhF.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {3C053924-304B-44BD-812E-D5696712329E} - C:\WINDOWS\system32\awtuTnMd.dll (file missing)
O2 - BHO: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C87A1C1-ADF7-49D7-ACA4-9BAE574BE4EB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9186E5E1-470C-4479-A8CA-6447B1487CB6} - C:\WINDOWS\system32\opnopqNH.dll (file missing)
O2 - BHO: (no name) - {971C4700-8CE2-4541-B27C-66658D392009} - C:\WINDOWS\system32\fccdebAT.dll (file missing)
O2 - BHO: (no name) - {9C624EE8-3A5D-42B3-BE49-3F9291ACAF94} - C:\WINDOWS\system32\efcdCRiJ.dll (file missing)
O3 - Toolbar: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\Run: [System Service Manager Device] svho.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BM377015e2] Rundll32.exe "C:\WINDOWS\system32\pqgsqqae.dll",s
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKLM\..\RunServices: [System Service Manager Device] svho.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su2/CTL_V020...31/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1191602209968
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191602201109
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5035/CTPID.cab
O20 - Winlogon Notify: xxyvSjhF - C:\WINDOWS\SYSTEM32\xxyvSjhF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9088 bytes

I apologize for the delay. Thanks in advance!

[Negeva]

Did you run VundoFix before or after that HiJack log? Either way, just had a quick glance at it and these are the only malicious entries I could see:

Quote:

C:\WINDOWS\system32\svho.exe C:\WINDOWS\system32\mssvcs.exe O2 - BHO: (no name) - {3C053924-304B-44BD-812E-D5696712329E} - C:\WINDOWS\system32\awtuTnMd.dll (file missing) O2 - BHO: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll O2 - BHO: (no name) - {9186E5E1-470C-4479-A8CA-6447B1487CB6} - C:\WINDOWS\system32\opnopqNH.dll (file missing) O2 - BHO: (no name) - {971C4700-8CE2-4541-B27C-66658D392009} - C:\WINDOWS\system32\fccdebAT.dll (file missing) O2 - BHO: (no name) - {9C624EE8-3A5D-42B3-BE49-3F9291ACAF94} - C:\WINDOWS\system32\efcdCRiJ.dll (file missing) O3 - Toolbar: ACI5 Toolbar - {4fdbd65b-4803-46c0-b741-05131ffd0548} - C:\Program Files\ACI5\tbACI0.dll O4 - HKLM\..\Run: [System Service Manager Device] svho.exe O4 - HKLM\..\Run: [BM377015e2] Rundll32.exe "C:\WINDOWS\system32\pqgsqqae.dll",s O20 - Winlogon Notify: xxyvSjhF - C:\WINDOWS\SYSTEM32\xxyvSjhF.dll

Code:

C:\WINDOWS\system32\svho.exe
C:\WINDOWS\system32\mssvcs.exe

The above are a Win32/Rbot worm/trojan, commonly called the mIRC or MSN worm/trojan. Can be used to steal CD keys for games, and since I noticed you have PB installed I'll guess you're a bit of a gamer. More information here: LINK. To be honest surprised AVG hasn't detected and removed it, but then again it can be a pain to remove.

ACI5 Toolbar is a malicous toolbar which modifies the default IE SearchHook and has some adware/trackware functionality. Remove now.

The other entries have generic and randomly assigned names, typical of the latest strains of Vundo; and I've been seeing more of them lately.

Since you have a mixture of malware removal will be a long arduous affair, involving several applications and re-boots. My main concern is the Win32/Rbot as it can be a pain to remove, since it loads itself as a Windows service that sometimes hides itself.

If you're willing I can provide instructions for the full removal of these infections, but it would be wise if you create a backup of all data and settings before proceeding. If so, post back and we'll begin.

[unholy]

Yea. I got bugged using mIRC a few weeks ago. It's only begun to escalate in the past week or so...

And yes I am a bit of a gamer

Just let me know what I need to do if you can.


Can I use HiJackThis to remove some of these processes or is this not as effective as other methods I have not heard of.

[Negeva]

Quote:

Originally Posted by $partan Yea. I got bugged using mIRC a few weeks ago. It's only begun to escalate in the past week or so... And yes I am a bit of a gamer Just let me know what I need to do if you can. Can I use HiJackThis to remove some of these processes or is this not as effective as other methods I have not heard of.

Sorry for the delay; family life has a tendency to get in the way.

We'll concentrate on removing that mIRC virus first, which in your log are the following;

Code:

C:\WINDOWS\system32\svho.exe
C:\WINDOWS\system32\mssvcs.exe
O4 - HKLM\..\Run: [System Service Manager Device] svho.exe

First step is to download SDFix. You can find instructions and the download link here: LINK. Please run this in Safe-Mode and read the instructions carefully before proceeding. After running SDFix please post back the log SDFix creates and a fresh HiJackThis log: might be best to attach them so the post isn't ridiculously long.

[unholy]

Well I think I got part of it... Not entirely sure.

[Negeva]

The good news is we've removed most of it, so just a few entries to remove. Run Hijackthis make it fix the followiing;

Code:

C:\WINDOWS\system32\mssvcs.exe
R3 - URLSearchHook: (no name) - {4fdbd65b-4803-46c0-b741-05131ffd0548} - (no file)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\xxyvSjhF.dll
O2 - BHO: (no name) - {1BD8E3CC-1802-41E3-AB44-0B20EBCCB8E4} - (no file)
O2 - BHO: (no name) - {3C053924-304B-44BD-812E-D5696712329E} - (no file)
O2 - BHO: (no name) - {489864D4-BA5D-4FB1-B924-4BCF9ABC0D2F} - (no file)
O2 - BHO: (no name) - {4fdbd65b-4803-46c0-b741-05131ffd0548} - (no file)
O2 - BHO: (no name) - {53C982E4-700D-40D6-9B5B-024055A91192} - C:\WINDOWS\system32\yayvVNDV.dll (file missing)
O2 - BHO: (no name) - {5C87A1C1-ADF7-49D7-ACA4-9BAE574BE4EB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9186E5E1-470C-4479-A8CA-6447B1487CB6} - (no file)
O2 - BHO: (no name) - {971C4700-8CE2-4541-B27C-66658D392009} - (no file)
O2 - BHO: (no name) - {9C624EE8-3A5D-42B3-BE49-3F9291ACAF94} - (no file)
O2 - BHO: (no name) - {E56724AB-EE65-454C-B853-502091BB6288} - (no file)
O4 - HKLM\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe
4 - HKLM\..\Run: [BM377015e2] Rundll32.exe "C:\WINDOWS\system32\quvwigpt.dll",s
O4 - HKLM\..\RunServices: [Microsoft Corporation Svchost Services] mssvcs.exe
O4 - HKCU\..\Run: [Microsoft Corporation Svchost Services] mssvcs.exe

Please post back a log. And, it might be useful to run full updated scans with: AVG, Spybot and Superantispyware. Make sure with Spybot you immunize your machine.

[unholy]

I think I finally got it all!!!

I had been having some random thing popup whenever I logged into my account...

Something was using a Private EXE Protector or something from setisoft....

Those stopped after SuperAntiSpyware was run and I deleted all those browser values that were on my system. Thank you very much!


here is my last HijackThis log.

[Negeva]

Congratulations your machine is clean

Just a tip, you don't need SUPERAntiSpyware (SAS) set to run when Windows loads; enter the program and select 'Preferences' from the main window and untick 'Start SUPERAntiSpyware when Windows loads'.

The random pop-ups were coming from the Vundo virus you had, SAS has the ability to remove all of it, which it did. Plus, you removed several of the services and .dll files it requires with HiJackThis.

Just remember to update and immunize your machine with Spybot at least once a week to help protect against known malicious URLs and so on. Keep Windows fully patched. And, don't accept files from strangers; or at least scan them using one of the many free online scanning sites:

http://virusscan.jotti.org/
http://www.virustotal.com/

[unholy]

Sweet. Thanks for all the help. All these programs I didn't even know about helped so much.

Thanks everyone!

[akala]

Here is a log of my hijakthis, pls help

[glc]

Akala:

MUST READ before posting HijackThis Logs!

Also, please start your own thread.