| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 90331 | 2008-05-30 20:43:00 | Virtumonde Virus - explorer.exe crashes repeatedly | rpm5099 (13774) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 674071 | 2008-05-30 20:43:00 | Ok, I've tried to remove with Spybot search and destroy, and I keep getting the same result when I restart but it is recognizing the virtumonde.dll. I'm trying ad aware because it claims it has a virtumonde removal tool built into it but so far it hasnt worked. I need to restart and try it in safe mode. I seem to have removed all of the malware except for the virtumonde which crashes hijack this as soon as I get the log so I dont know if its complete. The explorer.exe crashing does not happen in safe mode. Heres the log that I was able to generate: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:52:24, on 5/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\explorer.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{F81C2365-6A74-4247-BD57-D0FC684D3ABE}: NameServer = 192.168.100.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5198 bytes |
rpm5099 (13774) | ||
| 674072 | 2008-05-30 21:05:00 | Run HJT again tick these then tick fix checked Close browsers O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry Did you use Nlite or something?? O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') Uninstall all versions of Sun Java, yours is out of date. Link is in my sig. Try trojan remover in my sig below. Install it update it then click on scan. Then select all options under utilitites. Then open my computer / right mouse on c then scan with trojan remover. See what it picks up |
Speedy Gonzales (78) | ||
| 674073 | 2008-05-30 21:13:00 | Ok, I'm finishing a scan of malwarebytes anti malware that I picked up from another post on here. I'll run the HJT and remove those you just said and complete the trojan removal program. I'll post the lost from that as soon as its complete. | rpm5099 (13774) | ||
| 674074 | 2008-05-30 21:14:00 | Oh and yes I had to use Nlite to slipstream my raid drivers becuase there was windows setup kept hanging during the driver signing confirmation. | rpm5099 (13774) | ||
| 674075 | 2008-05-30 21:15:00 | do I need to be in safe mode for these scans btw? can I use safe mode with networking to allow the scanning software to update iteslf? Thanks | rpm5099 (13774) | ||
| 674076 | 2008-05-30 21:19:00 | No, you should be able to tick these in normal windows Altho if My computer crashes in normal windows, you'll have to scan with trojan remover in safe mode - networking Umm leave the entries under where I asked about Nlite then. Not too sure if these can be ticked or not. I've never had to slipstream SATA drivers. So, I've never seen those entries before in startup. |
Speedy Gonzales (78) | ||
| 674077 | 2008-05-30 21:37:00 | the nlite entries are just for the initial windows install and I'm pretty sure they arent necesary so I went ahead and got rid of them. Explorer.exe crashes regularly so I'm running trojan remover in safe mode, but its still restarting even in safe mode. I'll post again in a minute as soon as this trojan scan is complete. Also, the one key you had me remove, is that related to the virtumonde virus? Thanks. |
rpm5099 (13774) | ||
| 674078 | 2008-05-30 21:41:00 | Also, the one key you had me remove, is that related to the virtumonde virus? Thanks. I have no idea what that entry did or does. I've never seen that entry before either Oops, if you've got anything made by creative, that 1st entry may belong to it |
Speedy Gonzales (78) | ||
| 674079 | 2008-05-30 22:01:00 | This TR scan is taking forever, in the meantime heres the malware log: Malwarebytes' Anti-Malware 1.14 Database version: 800 4:36:15 PM 5/30/2008 mbam-log-5-30-2008 (16-36-15).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 173194 Time elapsed: 29 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 6 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\mlJApQkj.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\rqRLfDUl.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljapqkj (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d0889446-e659-4d97-9f2e-ec809a906fe4} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d0889446-e659-4d97-9f2e-ec809a906fe4} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlfdul -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\mlJApQkj.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\rqRLfDUl.dll (Trojan.Vundo) -> Delete on reboot. |
rpm5099 (13774) | ||
| 674080 | 2008-05-30 22:04:00 | Look like that removed it, all you have to do is reboot | Speedy Gonzales (78) | ||
| 1 2 | |||||