[Infected with Virtumonde]

This Adware-Virtumonde has really FREAKED me out....i m really half out of my mind....not even a Virus has irritated me tht badly....wht ahd i do guys!Just Last week i got it for first time ever in my comp,and my NOD32 detected it but coulnt delete it as it infected a system file calles "ssqqpmk.dll ".

And i couldnt get rid of it ....not even with vundofix which was suggested in one of ur archive thread.....it took 6hrs to scan....but still couldnt do nothing...and then all i had was to format my C drive and reinstalled windows and also installes Spyware blaster to secure my PC.....but here i m again with this Virtumonde...PLS HELP ME OUT!
Herez my HJT SCan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:59 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3848 bytes


I m also trying now this SDIFix which u suggested ....hope this woprks...will b back in sum min...after trying it,But pls help me kill this devil!

 

Herez my SDFix report....it says everythign is finr and no Trojans found....but i m again at same place!
Virtumonde is still winner......and file fcccyxy.dll is still infected and MY PC is so busy.....

PLs help
SDFix: Version 1.152

Run by Administrator on Tue 03/04/2008 at 07:35 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 19:46:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1 "=dword:2df9c43f
"s2 "=dword:110480d0
"h0 "=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0 "= "C:\Program Files\DAEMON Tools Pro\ "
"h0 "=dword:00000000
"hdf12 "=hex:1e,3a,34,2c,1e,ab,c9,92,d6,b7,f2,3c,e3,57,09,ea,0d,25,ef,52,3a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0 "=hex:20,01,00,00,bd,23,dd,d1,20,10,18,49,85,25,db,2f,6b,f4,fa,53,c3,..
"hdf12 "=hex:d8,c9,ca,a8,9a,3f,a1,1d,fe,5a,a5,f3,72,38,f1,e3,1a,67,36,bf,30,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12 "=hex:7a,c1,00,06,c3,c8,f6,8e,87,f1,48,b0,c0,ba,83,89,fb,1d,66,8b,84,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0 "= "C:\Program Files\DAEMON Tools Pro\ "
"h0 "=dword:00000000
"hdf12 "=hex:1e,3a,34,2c,1e,ab,c9,92,d6,b7,f2,3c,e3,57,09,ea,0d,25,ef,52,3a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0 "=hex:20,01,00,00,bd,23,dd,d1,20,10,18,49,85,25,db,2f,6b,f4,fa,53,c3,..
"hdf12 "=hex:d8,c9,ca,a8,9a,3f,a1,1d,fe,5a,a5,f3,72,38,f1,e3,1a,67,36,bf,30,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12 "=hex:7a,c1,00,06,c3,c8,f6,8e,87,f1,48,b0,c0,ba,83,89,fb,1d,66,8b,84,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe "= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files :



Files with Hidden Attributes :

Wed 31 Oct 2007 6,219,320 A..HR --- "C:\Program Files\Picasa2\setup.exe "
Fri 29 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\BIT1A.tmp "

Finished!

 

[FONT= "Century Gothic"]Hijack a thread......?
Well...i didnt knew abt it...i thought like all other forums you can continue replying in a thread wiht same set of problem.....so i thouhgt tht geri's Virtumondo thread will b nice place to share common problem...

But frm now on i will post a new thread ....sry mods.....

But hey now i have solved my problem.....YES Finally i AM a WINNER!

I ran.....vitomondobegone.exe and it just removed the devil in few seconds!
I simply couldnt belive it for once.....

But since i am a newbie here....so will take a bit of time to get to know it!

But thanks guys![/FONT]

 

Hi prashantnasa
Welcome to Windowsbbs.

First it is not a good idea to just run tools you see others running, each system is different and may take a different tool and you could harm your system even to the point of having to reformat.

I would suggest you post a Deckerd system Scanner log.
vitomondobegone.exe is a old tool and some of the new vundo infections may not be covered by it.

Here is how,

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.

Agian please do not run any more tools unless told to do so.

Thanks
Geri

 

[FONT= "Century Gothic"]Well....ok i will keep tht in mind geri.....thanks for ur valuable advice.[/FONT]