TechSpot

Virtumonde infection

By murtazapen
Aug 10, 2008
  1. Hello everyone, I seem to have a nasty Virtumonde infection that I can't seem to get rid of. Spybot is the only one that catches it - Spyzooka, SuperAntiSpyware and Ad Aware can't even find it. I've attached my Hijack This log file, but have no idea what to fix.

    Can someone please help?

    Thanks!
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Hello Welcome TechSpot

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: {35d86e71-9fb1-7529-0114-d3d40c8819d7} - {7d9188c0-4d3d-4110-9257-1bf917e68d53} - (no file)
    O2 - BHO: (no name) - {B9238950-A58F-479A-89C3-8D68D639C6E8} - (no file)
    O2 - BHO: (no name) - {EA2CC8E4-3199-4B85-9FE4-BAA5EF2ACB99} - (no file)
    O4 - HKLM\..\Run: [4820d75a] rundll32.exe "C:\WINDOWS\system32\levflxqd.dll",b
    O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://perfmgmt.internal.t-mobile.com/download/CfxIEAx.cab
    O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://boj.eng.t-mobile.com/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab
    O16 - DPF: {84D35B77-75B4-4FF0-A2DE-6ED1B3EBE036} (Crystal ActiveX Report Viewer Web Report Source 11.5) - http://boj.eng.t-mobile.com/crystalreportviewers115//ActiveXControls/ActiveXViewer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gsm1900.org
    O17 - HKLM\Software\..\Telephony: DomainName = gsm1900.org
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gsm1900.org
    O20 - Winlogon Notify: jkkkkHAr - C:\WINDOWS\

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis and reboot

    ==============================================

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\WINDOWS\system32\levflxqd.dll
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ===============================================

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version. Then reboot into safe mode by rebooting then start tapping the F8 key you will get the advance option select safe mode then load run the program
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    Now run hijackthis and post a fresh hijackthis log
     
  3. murtazapen

    murtazapen TS Rookie Topic Starter

    Thanks for the instructions xxdanielxx. I'll do the needful and post the new logs tonight.

    Appreciate your help!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...