Virtumonde Infection / Ad Popups

Status
Not open for further replies.
Hey Guys,

My pc been infected by Virtumonde and ad popups for the last few days. Symptoms include, browser (Firefox) extremely slow to load web pages as well random ad popups. Also Spybot picked up Virtumonde and tried removing it bit it wasn't successfully. Also my pc CPU was running at 100% most of the time with winlogin.exe taking almost 50%f the cpu usage which is unusual.
I ran HijackThis and here are the log files.... Any help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:40 AM, on 12/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LckFldService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Valve\Steam\Steam.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\Firefox\dss.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\mkv2vob\tools\virtualdubmod.exe
C:\Program Files\TVersity\Media Server\TVersity.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\Crusty.exe
 
The most important part of the log is missing.

Please attach the entire log using the paperclip icon above your reply (not quick reply)
 
Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {95625B2F-398B-4E07-8A72-445B0B7C60DF} - C:\WINDOWS\system32\fCRLcbbA.dll (file missing)
    O2 - BHO: (no name) - {9B77B961-370D-4118-BFC6-E90A8A17BF8C} - C:\WINDOWS\system32\nnnmkkLd.dll
    O2 - BHO: (no name) - {BF0CA4FC-6378-4062-B546-3CDE8A28B1E0} - (no file)
    O4 - HKLM\..\Run: [BM9baefdb0] Rundll32.exe "C:\WINDOWS\system32\nbyyjwuo.dll",s
    O4 - HKLM\..\Run: [989dce2c] rundll32.exe "C:\WINDOWS\system32\udkthapu.dll",b
    O20 - Winlogon Notify: efcCuTNf - C:\WINDOWS\
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\fCRLcbbA.dll
    C:\WINDOWS\system32\nnnmkkLd.dll
    C:\WINDOWS\system32\nbyyjwuo.dll
    C:\WINDOWS\system32\udkthapu.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

------------------------------------------------------------------------

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
 
Status
Not open for further replies.
Back