Possible virtumonde Infection and loss of connectivity

By Tungstencalais · 20 replies
Apr 10, 2009
  1. Hi guys,

    Yesterday McAfee suddenly detected the virtumonde.sdn trojan on my computer, amongst other things and my browser was intermittently hijacked, so I downloaded spybot and removed whatever it found in a routine scan (in addition to what McAfee immediately removed following a full scan).

    There were no more hijacking problems, although the internet seemed to be running a bit slower than usual.

    I wanted to check if the problem would be resolved on restart, but after initially booting up in normal mode, once McAfee has loaded, it gives an error message and the blue windows error screen came up following boot up:

    A few different error messages, including: page fault in nonpaged area

    Instructions to disable BIOS memory options such as caching and shadowing

    Stop: 0x00000050(0xC0000005, 0xB08CD92D, 0xAD43CFB4, 0x00000000) amongst other similar errors

    This has happened on each boot in normal mode. I'm thinking it could be a problem within McAfee perhaps?

    I attempted to boot in safe mode with networking for internet access, but that caused a shutdown too, and I wasn't able to access the internet in any case.

    A boot in safe mode offered a little more time and I was able to run HijackThis, and SpyBot, but I have no way of getting the HijackThis log from here.

    I have a Dell Inspiron 6400 notebook (2Ghz processor, 2Gb ram, running XP SP2) and it has overheated a handful of times over the last 2 years, including a few times with this current problem.

    I also ran the onboard diagnostics utility, which showed no problems with memory etc.

    I'm unable to carry out the 8 steps, since I have no connectivity in Safe mode, which is the only stable mode at present.

    I'm suspecting this is still virtumonde, and that it could be McAfee that's infected, but I'm unsure how to fix it, since my comp doesn't boot up sufficiently long enough for a fix in normal mode and I have no way of getting the HijackThis log from safe mode/normal mode.

    Any help would be appreciated.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Do you have a flash drive you can load the three programs onto, then install on the infected computer? No internet connection needed. Run them in Safe Mode. We'll rescan in Normal Mode when available.

    Question: Did you have McAfee quarantine all the files? Did you then delete the files?
  3. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hi Bobbye, thanks for the help.

    I initially tried to get Malwarebytes and a McAfee uninstaller on a flash drive from a clean comp to my infected comp in safe mode, but it doesn't recognise the USB drive at all.

    I then reversed a change that I had made initially when I contracted the virus, when I changed from a selective start-up of programs (which I was using before I got the virus) to full start-up, in preparation for an HJT log post. After this, on a restart, and once McAfee loaded, (along with approx 80 processes in total), the comp would either overheat and shut down or give me that blue error screen.

    Following reduction of the number of start up processes, I was able to get into last known config that worked mode (I don't think it was normal mode) and then able to download MBAM, which I ran in quick scan mode. I have attached the initial MBAM results. These items were removed, and on reboot a full scan and quick scan revealed no malware. I have also attached the latest full scan results.

    I subsequently was able to follow the steps in this forum, and I uninstalled my P2P application (limewire) and updated JAVA. I'm still running McAfee AV.

    I downloaded and ran SuperAntispyware and HJT, the logs of which I've attached too. It seems that SAS has found some rootkit agents.

    The current symptoms are firstly that I can't get into normal mode at all - there is a brief blue screen and immediate restart until I select last known config mode - when I tried getting into normal mode yesterday I was able to boot up, and then when McAfee loaded, the system restarted, so this has worsened. There are too many processes and slow processing, and my browser gets hijacked and redirected when i go to sites with the word 'security" in the title, after I search for the word security in google.

    Thanks for any help.

    Edit: I think that McAfee quarantined them and let me delete them too, but I can't be sure.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Tungstencalais, we have some work to do before making sure the Rootkit is gone:

    1. You are running both Symantec and McAfee antivirus programs. Decide which you want to keep and uninstall the other. If you want to remove the Norton/Symantec programs, use the Norton Removal Tool HERE.

    2. You have TeaTimer running. Per Step 3, Real Time Monitoring much be temporarily disabled during the scans:
    You are bound to be running slowly due to the excessive browser helper objects (02), toolbars (03) and 04 processes which are loading at Startup every time you boot. You are also running Norton Ghost. I suggest you disable that for now so you don't backup malware.

    So we begin:
    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (IF you set this homepage to open blank, leave this entry. If not, check to remove.
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Boot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following if present:
    Right click on Start> Explore> Programs> Nortons Ghost> Disable for now

    Boot into Normal Mode: NOTE: You will get a nag message that you can ignore and close after cheking 'don't show this message again'. Stay in Selective Startup.

    Please download ComboFix. HERE:
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    So here is the order to follow:
    1. Remove one of the antivirus programs.
    2. Disable Tea Timer
    3. Have HijackThis remove the entries checked
    4. UPDATE and rescan with Malwarebytes
    5. Run ComboFix
    6. Rescan with Hijackthis
    Attach all logs and reports
  5. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hi Bobbye, does it matter if I'm unable to get into normal mode for Combofix, since I'm only able to get into last known config that worked at this point?

    Otherwise, I'll get started on these steps.

    Hi Bobbye, sorry for the double post, but this would have been a huge edit otherwise.

    Firstly, I was able to get into normal mode (with USB connectivity now) for Combo-Fix, but the view still resembles last good known configuration in terms of toolbars etc, so I'm not sure if this is actually normal mode - is there any way to check? Also, the main problem i have at the moment is that sometimes when accessing normal web pages, like this help forum, there seems to be some adware downloading according to the IE status bar at the bottom.

    OK so I followed your advice and used the Norton removal tool, which totally got rid of Norton Ghost in the process - I'm not sure if it was meant to remove this program? Will I need this later on?

    I disabled Spybot teatimer from the Resident icon option in Tools, but when I checked System startup, Teatimer wasn't on the list, so I'm not sure if that was fine or not.

    I ran HJT as you requested and the first two items you'd listed, weren't listed:

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe

    I deleted Dell Network assistant from the list as you requested, but I'm on a wireless network - will this affect the strength of the connection? Signal strength seems lower without this in my system tray.

    I then fixed those items using HJT, and rebooted initially into Last known good config again. Now there's a windows installer program that starts up initially with each boot - should I do something about this?

    I ran a quick scan using MBAM and it detected 5 files infected with a trojan and I fixed it using MBAM. I've attached the log.

    I then rebooted into Safe Mode to alter MSConfig. Prior to the welcome screen with user icons, there are a list of files that come up, e.g.:

    multi(0)disk(0)partition(2)WINDOWS\system 32\DRIVERS\pci.sys etc

    and it asks me if I'd like to load some .sys file I think, and it takes a while to load all this. Is this normal, or is it indicative of the infection?

    In safe mode I altered Start up through MSConfig, but there were hardly any programs loading that you mentioned in your post:

    Norton Ghost\Agent\VProSvc.exe
    Random stuff unsure\FLV Downloader\MoyeaCth.dll (not sure how it's listed)
    All entries related to VeohWebPlayer
    Dell Network Assistant
    All entries related to Versato
    All entries for npchime.dll
    When finished> Apply> OK

    Won't safe mode normally have a reduced number of start up items anyway? Should I disable these in normal mode if present?

    I then got into normal mode, as I mentioned earlier, and downloaded and ran Combo-Fix. I didn't have Windows Recovery console, and I'd already disabled internet by that stage, plus I subsequently haven't been able to get ComboFix to run it (when I try dropping the WRC download file into ComboFix it says that I can't have the file named as Combo-Fix which you'd requested). Do I still need WRC, and if so, do i need to rename Combo-Fix back to the original?

    In any case, I've attached the MBAM scan after HJT fix, Combo-Fix file + Combo fix quarantine file and the rescan with HJT.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, let's address this> are you "having" to boot into the LKGC every you reboot?

    And I think you said you went back to Normal Startup, with about 80 processes running. Please do not do these things unless your helper tells you to. Going back to Normal Startup undoes the purpose we're using Selective Startup for and that is to stop programs from starting up!

    Please advise your exact status when you reboot:
    1. Can you get into Normal Startup at all?
    2. Can you get into Safe Mode?
    3. Why are you going back to last good?
  7. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hi Bobbye,

    I'm getting into normal boot up each time now, and Safe Mode is accessible too, but as I said in the previous post, safe mode boot up shows a whole lot of driver files prior to the welcome screen and it takes a little while (15-20 seconds perhaps) on this screen.

    The reason why I was questioning if I was in LKGC or normal mode was because in normal mode, the appearance of my desktop in terms of toolbars has changed from the XP appearance to older format toolbars (e.g. loss of the blue toolbar at the bottom and green XP Start button etc). I'm definitely in normal mode though.

    As for going back to normal with 80 processes running, I'd done this after mentioning it to a helper on another forum, who gave me the advice to go ahead with a selective startup in LKGC to reduce the number of processes in normal mode. This was done after my first post on this site, but prior to when you started helping me. I'm not able to add the link to the page where I received help on bleeping computer due to an inadequate number of posts on this forum. I can add the link into my next post if you'd like to see it?

    I'll try and remove those processes if present in normal mode at startup now. Also, are those logs showing things that need to be fixed?

    Edit: Those processes weren't present at startup in normal mode either so I couldn't remove anything. Currently I have approx 60 processes running in normal mode.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I have 4> the AV program, Touchpad, 2 network process for Network Magic. If I had a third party firewall, that would also be on Startup.

    But I customize my machined the first day I get them and stay in Selective Startup from them on. But let's clarify:
    Normal Mode vs Safe Mode
    Normal Startup vs Selective Staretup

    IF you ran Malwarebytes, SuperAntispyware or Combofix in Safe Mode, or IF you went back to LKGC, please UPDATE and rescan with each in Normal Mode. Follow with rescan in HijackThis. Attach all logs.

    Since you have allowed the system to go back to Last Known, I am not sure what remaining on it now.
  9. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hi Bobbye, I'll rescan with MBAM, SAS then Combo-Fix and HJT again. Should take a few hours I guess. I'll add the files into this post as an edit.

    In any case do those logs I posted before show an infection? I haven't had too many issues recently, but just as I say that, I find that this site won't let me cut and paste these lines using the mouse. Plus on the very odd occasion a website will freeze and not load.

    Hey again, I thought you may miss my post if I edited the previous one so I've double posted again - sorry about this.

    I updated and ran MBAM and SAS. SAS showed 15 adware trackers, MBAM showed nothing.

    I ran ComboFix, but I didn't update/download a more recent version from the one 2 days ago - should i redo this? This also found nothing I think.

    The HJT log following this is attached.

    Edit: Hmm, this is the third time i'm typing this. Alright, so my system has destabilised now. I got a pop-up from McAfee saying that I needed to restart in order for some updates to finish installing for virus scan and that I wouldn't be able to access McAfee security centre until I did this. So I clicked on the restart option and upon rebooting, I no longer have a McAfee icon in my tray, although it still appears to be running.

    The main problems are with IE - it's not letting me access too many sites (e.g. techspot forum following a google search) before it gives me errors, including ones with autocomplete: "0x04ac75ba referenced memory at 0x00000004. Memory could not be read". This appears very regularly when opening up IE and the box won't close unless I terminate IE from task manager. I ran MBAM and SAS w/o updates since I couldn't get to their download pages. MBAM showed nothing, SAS showed 8 adware trackers this time. So is this a problem with McAfee? Should I uninstall it and install something like Avira instead? What else can be done?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    My apology for the delay. I had "stuff" come up that I had to attend to.

    I have been puzzling over your problems and am considering the following:
    1. The overheating problems you had might have damaged something> possibly the memory chips.
    I cannot identify this error code- please check the digits. Find the Error in the Event Viewer that corresponds to the time this message comes up:

    Start> Run> type in eventvwr
    NOTE: Please ignore Warnings and Information Events. Please do not paste the entire log> just the Error in question. You do not need to include the lines of code-if any-in the box below the Description.
    Referenced memory issues can come up when there are too many programs running.

    If you don't have a large amount of money invested in McAfee, yes, I would recommend Avira over it.

    Steps to change the AV program:
    Question: Do you have a homepage set to come up as a blank page?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Please advise of status after the AV changeover regarding error messages and ability to access web pages.
  11. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    The first two logs are the most recent errors in terms of IE having to shut down - this time "The instruction at: 0x10051e39" referenced memory at "0x06883000". The memory could not be read" came up.

    Event Type: Error
    Event Source: Application Error
    Event Category: None
    Event ID: 1000
    Date: 17/04/2009
    Time: 1:56:44 AM
    User: N/A
    Computer: OM108
    Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version, fault address 0x10051e39.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Error
    Event Source: Application Error
    Event Category: None
    Event ID: 1000
    Date: 17/04/2009
    Time: 12:58:43 AM
    User: N/A
    Computer: OM108
    Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version, fault address 0x10051e39.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    This is an error assoc with windows updater I think?

    Event Type: Error
    Event Source: crypt32
    Event Category: None
    Event ID: 8
    Date: 17/04/2009
    Time: 12:04:37 AM
    User: N/A
    Computer: OM108
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I think the problem hasn't changed significantly with avira - I can get onto this forum (but not use attachments), but once I select a video on youtube, for example, the error comes up. The page continues to load even with the error msg, but is quite slow.

    I'm pretty much unable to update anything - windows/avira/mbam/sas etc.

    I do have my home page set to "about blank". Is this something I should change?

    Some other things I've noticed: My desktop changes on reboot at times - eg the "My computer" and 'My docs' icons disappeared on one reboot. Yesterday, i was watching a flash file I'd downloaded about a year ago and the error box came up to close flash player when i was watching the video. This is the only occasion where the error box hasn't been IE related. Also, as I said in a previous post, my computer was quite stable for a few days - virtually issue free, internet working fine etc. If it's a memory issue, would it have occurred since then?

    Avira found 5 files which were subsequently removed. These aren't related to the current issue though, I don't think. Also, I can no longer attach these files using IE, so i'll have to use the clean comp for this.

    EDIT: You may be right about the memory issue or CPU usage though - task manager shows that CPU use doesn't drop below 50% at all, with no programs running and nothing opened - does this mean that one of the processors (it's a Core2duo processor) has died - doesn't seem likely since both processor graphs are fluctuating? Or does it mean perhaps that something like a virus is working in the background?
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    1. Okay, from the Application Errors ID#1000, we know IE had a problem, but no module is given and I can't ID fault address 0x10051e39. And there is no Error code.

    2. The Error ID #8 ,Source: crypt32, Description:Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved.

    Are you using these program for the video?
    c:\program files\VideoLAN
    c:\program files\Veoh Networks

    If so, let's try something.
    1. Boot into Safe Mode:
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    2. Go to Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK everything EXCEPT:
    McAfee Antivirus
    McAfee Firewall
    Synaptics\SynTP\SynTPEnh.exe (touchpad for the laptop)

    Apply> OK>

    Open IE>Tools> Manage Add-ons> find each of these> click to highlight> disable each:
    Reboot into Normal Mode> NOTE: ignore and close the nag message after checking 'don't show again.' Stay in Selective Startup.

    IF you ran Malwarebytes and/or Combofix in Safe Mode, UPDATE each and rescan in Normal Mode.

    Follow with new scan in HijackThis..Attach the logs and reports.

    Tell me how you're running.
  13. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hey Bobbye,

    Not really sure what's going on with the system, but it's returned to the state it was in prior to downloading those McAfee updates (my 5th post). Internet is working fine, with no error messages at all. CPU usage isn't stuck in 50-100%, all programs are able to update just fine (I used the chance to update SAS, MBAM, Avira). I'll tell you what I've done/observations since last post:

    So observing the system when unstable, I noticed that when I tried to update the security programs (SAS/Avira), CPU usage immediately shot to 50% and stayed there - 1 of the CPU boxes was maxed out basically, the other one low.

    I then unchecked all the programs besides Avira and Synaptics from startup in safe mode. For the IE add-ons all I could find from the list you gave was the CTVU entry in the add-ons that have been used previously (not the currently used add-ons list) and I disabled it. I also disbaled yahoo toolbar since I don't use it at all. I have about 40 processes running now.

    On reboot into normal, I tried to update Combofix for a scan, and after it had finished downloading its update files, it closed and the program tried to restart. The comp then froze and became unresponsive, so I manually turned the comp off with the on/off switch.

    On reboot into normal, there were no problems and the system was stable, as I mentioned above. However, when I try to open combofix now, it just opens the command prompt box as usual, but there's no text and it doesn't appear to be working.

    I updated and ran MBAM and SAS, and the latter picked up 9 adwares as it usually does. I ran HJT after.

    Should we fix combofix at this point? Could this all have something to do with combofix and the windows recovery console installed through it - the system initially could have destabilised after installing WRC, although it wasn't an immediate effect perhaps?
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Reset Cookies:
    Please 1. Download the McAfee Removal Tool from HERE & save to our desktop.
    I don't see any malware in any of the logs. The only 'no name' or 'no file' entries left are from McAfee and the removal program should handle those.The Cookie reset will help prevent Tracking Cookies.

    Uninstall Combofix
    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
    When you finish with the McAfee removal, run a full system scan with Avira.If anything is found, please attach the log.

    See how the system runs now. remember what I told you about removing processes from Startup. IF you only how 40 processes running in the Task Manager, that is good. Know that the TM number is difference from the Startup number!
  15. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hey Bobbye,

    Yep I'm aware of TM vs start-up number - only have those 3 things in startup now. I've already run the MCPR tool to remove McAfee prior to installing Avira- do i need to do this again?
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    These entries remained in your last HijakThis log:

    Open HijackThis> System Scan Only> Check each> click on Fix Checked when through. See if that does it:

  17. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    I've now removed those entries from HJT, uninstalled ComboFix, run OTCleanIt and established a new system restore point.

    I then ran a full system scan with Avira and nothing was found. There were however, 3 files that couldn't be opened, two of which had a note attached in the log file. The third (C:\WINDOWS\system32\drivers\sptd.sys) has no note attached and this is the file I'm asked if I want to load when Safe Mode boots up (my 5th post) showing the list of drivers booting up. Is this anything to be concerned about, or is it normal? I've attached the log.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Installed with Daemon Tools V4.00 - Scsi Pass Through Direct (sptd.sys) driver

    If it is a problem: update from here:
    SPTD for Windows 2000/XP/2003/Vista (32 bit)

    But I don't see Daemon Tools in any of the logs. Take the process off of Startup, delete the file.
  19. Tungstencalais

    Tungstencalais TS Rookie Topic Starter

    Hi Bobbye,

    I uninstalled Daemon Tools pro, but there still seem to be remnants of the program, and the sptd.sys file is still present. It doesn't seem to be affecting the system at all, so I'm probably not going to do anything more with it for now, unless you think I should delete the sptd.sys file?

    Otherwise, the system is now stable. Thanks for all the help over the last week!
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Now is a good time to complete all your Windows Security Updates
    SP3 has been out for some time now, and helps improve system performance and security
    There have also been many Security Updates since SP3 as well :grinthumb
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...