Virtumonde-cannot get rid of it, please help!

Hello! I seem to have picked up a Virtumonde yesterday. I have scanned the computer multiple times and Avast has found and deleted it, but it will not completely go away. Also Ad Aware will find Malware and delete that as well, but it keeps propogating. How can I wipe this thing out?

Welcome Bashring2000

This has been discussed many times before.

I would download MBAM then update it then run a quick scan and let it remove what it detects and a reboot may be required to remove locked files:
http://www.malwarebytes.org/mbam.php

Hi Bashring2000,

Latest removal info from here: http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde

Well MBAM is the program of choice against this, but Virtumonde can reappear, so I would advise to turn of system restore and then do a full system scan. How to turn off and on system restore, see:
http://support.microsoft.com/kb/310405

Then post a hijackthis log txt file as an attachment to your next posting. Get hijackthis here:
http://filehippo.com/download_hijackthis/
Do not download to a temp file, do not fix anything, just post the logfile, and we try to do an analysis,

polonus

With MBAM you do not just “let it remove”
you have to click the REMOVE button-
not to worry - a backup will be made

post the log and then run the HJT
additional instructions are in a stickie at the top of this forum

already mentioned SAVE HJT in its own folder not TEMP or Desktop
(in other words do not just click “OPEN”)

close all browser windows including this one when you run

cheers

I ran MBAM which found a whole lot of stuff, deleted all of it, then ran Avast again. Neither Avast, Ad Aware or MBAM have found anything since, so I believe Im good to go! Any chance of this thing lying dormant, or should I have seen something new by now?

could you post your MBAM log please
run a scan with Kaspersky AV online scan
post if any hits (another recent poster found one and started a whole hidden malware chain)
post up that HJT (you got some symptoms- we gotta double check to see if the disease is gone)

then - before you go-
let’s talk prevention
we do not want to do this again- do we?

I wouldn’t think they would lie dormant after the scans you have done, but what may happen is it appears in the same way it did before.

Now, when MBAM detects stuff it would be nice to know what it was, whilst there are likely to be a lot of registry entries, etc. but also infected files, anyone of which could have been responsible for the return of the files that avast detected.

So if those files weren’t detected by avast, before hitting the Remove Selected button, send a sample to avast so that it may be analysed and hopefully improve the avast detections, see below. I know when your up to your a** in alligators the last thing on your mind is draining the swamp, but it could not only help you in the future but other avast users. This is the value of a multi application approach to security.

Submit Samples:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Here is my MBAM log-

Malwarebytes’ Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

4:32:56 PM 8/25/2008
mbam-log-08-25-2008 (16-32-56).txt

Scan type: Full Scan (C:|)
Objects scanned: 68984
Time elapsed: 21 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qicfsiic.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\iifgFUkJ.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\piqnod.dll (Trojan.Vundo.H) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{74ce56ff-3469-47c0-93e1-d0cb8b203ea9} (Trojan.Vundo.H) → Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifgfukj (Trojan.Vundo.H) → Delete on reboot.
HKEY_CLASSES_ROOT\CLSID{74ce56ff-3469-47c0-93e1-d0cb8b203ea9} (Trojan.Vundo.H) → Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{ebc60076-c0f3-4364-aa8b-454e43e6387e} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ebc60076-c0f3-4364-aa8b-454e43e6387e} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8c2e22a (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{74ce56ff-3469-47c0-93e1-d0cb8b203ea9} (Trojan.Vundo.H) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iifgFUkJ.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\piqnod.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\qicfsiic.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\ciisfciq.ini (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\P5IXIFTH\kb767887[1] (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\PRZWZEAO\kb456456[2] (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\System Volume Information_restore{EE68CF73-0713-4840-9C1B-71389FC3D3E1}\RP295\A0016770.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\hntsvsef.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\jttkjd.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ckxygobv.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyAPfg.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\xmp.bat (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\system32\khfDvvVO.dll (Trojan.Vundo) → Delete on reboot.

Hi Bashring2000.

Well MBAM has helped out greatly there, but I’d like to see it has not missed anything. Post a fresh hijackthis log.txt as a attachment to your next reply.

Get hijackthis and download from here:
http://filehippo.com/download_hijackthis/
Do not download to a temp file, do not fix anything yet, just post the attached logfile, and we try to do an analysis for you,

Do not panic, all will be fine,
Welcome to the forums,

polonus

Ok, I ran Kaspersky and here is the report:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 26, 2008 18:01:32
Records in database: 1148524

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:
C:
D:
H:
I:
J:\

Scan statistics:
Files scanned: 86082
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:26:24

File name / Threat name / Threats count
C:\Documents and Settings\Chris\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File 1
C:\RECYCLER\S-1-5-21-1844237615-117609710-1801674531-1003\Dc762.exe Infected: Trojan-Downloader.Win32.Zlob.wxo 1
J:\Retrospect Backup\Backup of MAIN (E)\Documents and Settings\C Mason\Local Settings\Application Data\Identities{F13FA187-9655-4507-8381-29B465910A89}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Smitfraud.c 1
J:\Retrospect Backup\Backup of MAIN (E)\Documents and Settings\C Mason\Local Settings\Application Data\Identities{F13FA187-9655-4507-8381-29B465910A89}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.ci 1
J:\Retrospect Backup\Backup of MAIN (E)\Documents and Settings\C Mason\Local Settings\Application Data\Identities{F13FA187-9655-4507-8381-29B465910A89}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.dq 1
J:\Retrospect Backup\Backup of MAIN (E)\Documents and Settings\C Mason\Local Settings\Application Data\Identities{F13FA187-9655-4507-8381-29B465910A89}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Southfraud.r 1
J:\Retrospect Backup\Backup of MAIN (E)\Documents and Settings\C Mason\Local Settings\Application Data\Identities{F13FA187-9655-4507-8381-29B465910A89}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 2

The selected area was scanned.

The J:\retrospect is a backup file over a few years old, not sure what thats is in there… should I just delete it?

Also, should I run Avast again for the 2 C: files?

I await your recommendation. Thanks!

Here is the Hijack this file results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:35 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {10ABCD57-FDDE-4941-B163-0B14D9BDDC0C} - C:\WINDOWS\system32\pmnNGyvW.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [mxomssmenu] “C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


End of file - 6902 bytes

Hi Bashring2000,

Not much that I see there:
Fix this:
O2 - BHO: (no name) - {10ABCD57-FDDE-4941-B163-0B14D9BDDC0C} - C:\WINDOWS\system32\pmnNGyvW.dll (file missing) Unknown application. Unnecessary (deactivated) entry that can be fixed.

You could run an additional Smitfraud fix run.

  1. Download SmitfraudFix from here: http://siri.geekstogo.com/SmitfraudFix.exe

  2. Then restart Windows in SafeMode. It is important to first start in SafeMode, while if starting SmitfraudFix in normal mode it will make your PC will crash.

  3. When loaded in SafeMode open the file you have downloaded.
    You see a blue window with text.

  4. Click a random key to get a menu:

  5. Click 2 to start the killing process.

  6. When the killing process has finished, the program will prompt you if you allow it to cleanse the registry, for that click Y.

  7. After this has finished, the program will ask for a restart.

That’s all, don’t panic, all will be well,

polonus

Thanks for all your help! I really appreciate it!

after the smitfraud fix and anything else you have been asked to do post up a new HJT

The J:\retrospect is a backup file over a few years old, not sure what thats is in there… should I just delete it?
up to you- do you need it?

did you run the kaspersky scan
I would like to see at least one clean AV scan in addition to avast