Virtumonde, Logs Inside.

Everyone · May 2, 2009

Hello, I have been having problems with Virtumonde for about three weeks I believe. My Nod32 at the time detected none of the files associated with the virus. Symptoms include considerable slowdown, and popups for Nexplore, google adsense scams (I make X thousand dollars a month from google), rogue antivirus programs, and some assorted random sites.

When I realised I had a malware program on my system, I tried MBAM and it would and still does detect 8-18 files most labeled Trojan.Vundo and deletes them successfully; yet the problem persists (usually after reboot) and Virtumonde would recreate the missing dlls and registry keys.

I've also tried VundoFix, but it never detects anything.

Now, Nod32 does detect a lot of the .dll files associated with this particular strain of Vundo, but always comes with an error message when automatically cleaning the file or manually deleting it. And it does not detect the rootkit or whatever happens to be the source of this Vundo infection.

I've ran the readme for Vista excluding ComboFix as I get an error with that, involving os incompatibility (Is it that I have x64 Vista?); and problem still persists. So all logs are attached except for a ComboFix log.

Thanks for taking the time to help me :yum

chaslang · May 5, 2009

Welcome to Major Geeks!

Everyone said: ↑

I've ran the readme for Vista excluding ComboFix as I get an error with that, involving os incompatibility (Is it that I have x64 Vista?);
Click to expand...

That's correct. ComboFix is not compatible with any x64 versions of Windows.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {e365ad1c-14d7-433f-931f-743eccfa5a28} - C:\Windows\SysWow64\hokezage.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\yireniye.dll c:\windows\system32\birokone.dll c:\windows\system32\yekonujo.dll c:\windows\system32\vogovode.dll

NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

select File, Cleanup, Delete All Backups

Choose Tools > Delete Temp Files and click Delete Selected Temp Files.

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Windows\system32\birologo.dll
C:\Windows\system32\bizisedi.dll
C:\Windows\system32\bowagina.exe
C:\Windows\system32\bujaweja.dll
C:\Windows\system32\CF25867.exe
C:\Windows\system32\CF4105.exe
C:\Windows\system32\cmd.execf
C:\Windows\system32\dehohibo.exe
C:\Windows\system32\digoteri.exe
C:\Windows\system32\dimufute.exe
C:\Windows\system32\dukareyo.dll
C:\Windows\system32\goromuki.dll.tmp
C:\Windows\system32\haduwuro.dll.tmp
C:\Windows\system32\hiyivonu.exe
C:\Windows\system32\husudima.dll
C:\Windows\system32\jojekuya.dll
C:\Windows\system32\livugafo.dll
C:\Windows\system32\lovalayi.dll
C:\Windows\system32\lusature.dll
C:\Windows\system32\mujijiza.dll
C:\Windows\system32\nayukesu.exe
C:\Windows\system32\pipufowa.dll
C:\Windows\system32\rerideli.dll.tmp
C:\Windows\system32\tuzotuho.exe
C:\Windows\system32\viniyare.dll
C:\Windows\system32\womijuwi.dll
C:\Windows\system32\zubadira.exe

C:\Windows\system32\zudebipe.dll.tmp

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot, run Malwarebytes and first update it. Then run a full scan and fix anything it finds. Don't be alarmed if you see any detections in the C:\!Killbox folder as they are what we just quarantined with Pocket Killbox. You can just let it remove them too.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\TEMP
C:\Users\Raven\AppData\Local\Temp

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the new log from Malwarebytes

C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

Virtumonde, Logs Inside.

Everyone Private E-2

Attached Files:

MGlogs.zip

SASlog.txt

mbam-log-2009-05-01 (21-13-08).txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member