Options

Virtumonde

I need help removing what I think is Virtumonde. I have run Highjack this and Vundofix and it keeps coming back. Here is the HighjackThis log and Vundofix logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:00:36 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\downloads\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.burley-guminiak.com/
O2 - BHO: (no name) - {C186607C-5F0C-4BCD-BB59-34B430B9CE9D} - C:\WINDOWS\system32\geedd.dll
O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\byxvusp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [PSBO Clean] C:\Program Files\KONICA MINOLTA\PageScope Box Operator\PSBO.exe /clean
O4 - HKLM\..\RunOnce: [VundoFix] "C:\downloads\vundofix.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\downloads\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{F35CC790-2ACC-4E00-84DE-8932E416B5E4}: NameServer = 24.92.226.12
O20 - Winlogon Notify: byxvusp - C:\WINDOWS\SYSTEM32\byxvusp.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Vundofix log

C:\WINDOWS\system32\byxvusp.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\geedd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxvusp.dll
C:\WINDOWS\system32\byxvusp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxvusp.dll
C:\WINDOWS\system32\byxvusp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Comments

  • edited April 2007
    Hello there, and welcome to Short-Media.

    Did you run VundoFix in normal mode or safe mode?
  • edited April 2007
    I had actually ran it both ways. However this morning I reran Vundofix in safe mode, and after 2 boots, I got an error message of "Error loading C:\Windows\System32\ yelqutrl.dll" I then ran Hijackthis, and cleaned out a couple more things. Reran Vundofix and found no evidence of Vundo virus. I had actually listed the logs, but I guess I pushed the wrong button and lost them when I went to post. On reboot, I reran Vundofix with no evidence and reran HiJackthis with no evidence.
    It must have been something to do with the order I ran Vundofix and HiJackthis. Anyway it seems to be gone (for now) . This is a pesky one for sure.
    Thanks for just jocking me enough to try an slightly different approach.
  • edited April 2007
    That sounds good.

    If you would still like us to check whether your system is clean, post a new HijackThis log.
Sign In or Register to comment.