HELP!! Delete-resist malware

HELP!!!! I've already spent 4 days trying to get this blasted thing off my computer. I stupidly opened an .exe file I shouldn't have (though I did scan it first with AVAST!) and got creamed with a flood of Trojans, a Win32Sino worm, and Virtumonde. My on-access scanner blocked the worst of it, and Ad-Aware, Spybot-SD, ADSspy and AVAST scans got almost everything, but I've still got this one file I can't shake using either the delete button, Regedit, or Spybot: c:\Windows\system32\pmnlk.dll. Here's what I know:

-it's infiltrated the registry as a BHO (currently {19E92E80-CBBE-48D1-B61F-18B5BC399FB8}, though it renumbers itself whenever I try to delete it using Regedit or Autoruns)

-it's also running as a module in the processes lsass.exe (in the Authorization Packages registry) and explorer.exe.

Here are some other key issues, some of which are pretty weird from what I've read in other forum posts and guides about persistent Virtumonde infections:

1. HikackThis doesn't detect it--in fact, it doesn't detect ANY of my BHOs, even though I can clearly see them in Spybot and Autoruns. I've tried doing scan with IE running and without, no difference. In other words, all the fixes I've seen that involve using HijackThis to "fix" the O2 lines with the bad BHOs (for example, with dede13 on this forum back on 11-17-07, 00:15) *WON'T WORK FOR ME*.

2. Deckard's Scanner crashed my system when I tried to run it (probably because it tried to create a Restore Point, which I'd disabled in Windows to prevent further infection--several of them got hit during the initial infection).

3. I tried using an on-line AV Scanner (Trend Micro), but it didn't find Virtumonde. It did find some tracking cookies, but when I tried to clean them, Internet Explorer crashed. Tried it again, making sure to disable my on-board AV scanner (AVAST), same result.

4. I've already run VundoFix6.5.10, which the designer (Atribune) specifically said was configured to address that lsass.exe infection. It didn't find anything.

5. I tried to prep my computer for this forum using ccleaner, but it did a funny thing when I clicked "Run Cleaner" as instructed - while it deleted a ton of stuff (81 MB!), it must have nuked something important in the Windows startup files--when I re-logged in to clean the Administrator profile in Safe Mode, it didn't remember my password!!! Same thing for my User profile, in both Safe and Normal modes. So, I had to reboot with last known good config (I scanned with Spybot immediately, and it found Virtumonde again in three registries I'd already successfully cleaned: aldd, aoprndtws, and rdfa. I've fixed them, but expect they'll crop up again...). This suggests Virtumonde is my problem, but then again, VundoFix didn't find it...

6. I tried to install Combofix on the desktop, but got a "corrupted file" error on install, and "CRC Failed in Qoo.bat". Resident protections AVAST and Spybot were both running at the time though, so maybe that's why?

Can anyone help me? Please? I know this is a volunteer site, but it really is getting urgent as I work from home on my computer.

Thanks in advance,
MH

(My HickjackThis log is attached, although I don't know if it'll be much use at this point.)

 

Hi mhennigar!
Welcome to Major Geeks!

Please begin by doing the following:

1) Run a scan with HijackThis and put a checkmark next to the following items: (do NOT click Fix until you exit ALL browsers including this one you are in now!)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Just exit HijackThis after you've fixed the above.

2) Next, please go to Spybot and deactivate Teatimer. You can reenable it after you've finished here. Do this by right-clicking on the spybot icon in the lower right-hand corner of your screen and clicking on disable for Teatimer, or you can deactivate it as follows.

Double-click on the program to start it from the desktop or start it from All Programs. At the top of the screen go to Mode and make sure "advanced" is clicked. Then look for the Tools button on the left-hand side of the window towards the bottom. Click on this. On the left side of the next window you'll see a red and white shield labeled Resident. Click on this. In the middle of the page that opens there are two items, SD Helper and Teatimer. Make sure that Teatimer is unchecked. Then close Spybot.

3) Now please follow the instructions and links in the READ & RUN ME FIRST. Malware Removal Guide
being sure to note which parts of the instructions are relevant for your operating system. If CCleaner was downloaded and installed according to the default instructions, it should not be removing your password. As this is a problem, please open it (it should open to the Windows tab) and uncheck everything except Cookies and Temporary Internet Files. Run it with just these two checked and see if that works.

abri

 

Thanks for your quick reply!

A couple of quick clarifications:

What about my resident AVAST scanner? Should I disable that at the same time as I do Teatime?

Also, should I be disconnected from the internet (DSL, in my case) when I'm doing any of this, or would that actually screw up the diagnostics?

Thanks,
MH

 

It's not usually necessary. I will only ask you to do that if something appears not to be working.

abri

 

Hi again Abri,

This would be a lot quicker if my reply posts wouldn't keep being asked for another login, and then crashing! Ok, let's try this again.

I did what you asked. I downloaded a fresh copy of CCleaner, and it worked fine this time, in both User and Administrator profiles. Notably, shortly after rebooting as User in Normal mode, my resident AV

detected two NEW adware infections (Win32: SecBar -B[Adw]) in my local settings\temp internet explorer files\content.IE5\AJ9SCRIC\upd32_v14[1] and local settings\temp\ynltyogv.dll. Good thing we

left AVAST on! I deleted both.

My scan logs are attached below. Combofix found a lot of crud, and Spybot detected a new Virtumonde infection, which I deleted, and purged from backup. AVG scan was clean. I was away from the

computer when the MGtools ran, so I don't know if it ran the HJT scan. If not, let me know and I'll send along an HJT log. (I did a quick scan, and it looks good--the BHO entries are back, and I can see

the ones that contained pmnlk.dll are now empty.)

Please let me know what to do next. As I'm now completely paranoid, I'm not rebooting this computer or touching IE (I'm in Opera now) until I hear from you! Also, I haven't yet toggled off Restore

System.

Oh, one more thing--will I need to do all of this again logged in as Administrator in Safe Mode (my User profile has admin privileges).

Thanks a million,
MH

 

Check the "Remember Me" box when you log in!! (It's a local remember me, not a cookie remember me)

Do not reset System Restore until we've finished everything. That will be one of the last things we do. I appreciate your being patient and using your computer only in the most limited way until we can finish. We have a lot going on here right now and are working hard to catch up.

no.

 

OK, thanks for the tips. I'll keep waiting on rebooting and using IE until I hear back.

MH

 

Hi mhennigar!


1)Please uninstall the below:

- Ad-Aware 2007
- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 5
- J2SE Runtime Environment 5.0 Update 6
- J2SE Runtime Environment 5.0 Update 9
- Viewpoint Media Player


2)Now Reboot.

3)And now install the current version of Sun Java from: Sun Java Runtime Environment You still have not done this.


4) Run HijackThis (it's called analyse.exe under C:\MGTools) and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {19E92E80-CBBE-48D1-B61F-18B5BC399FB8} - (no file)
O2 - BHO: (no name) - {99B0848C-6BC4-4198-A4C4-0A855ACADC60} - (no file)
O2 - BHO: (no name) - {C3D151E3-CD2D-4CDA-923A-582E78208048} - (no file)
O2 - BHO: (no name) - {F5B0656A-EE0D-479F-8EA0-5440F87ADFDB} - (no file)


After clicking Fix, exit HJT.


5)Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

[/quote]

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!


7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

You rock! As requested, I've finished step 6 with Avenger, and things are looking good after the reboot. I held my breath and opened Internet Explorer, and no pop-ups when I browse around. The Avenger log is below.

I've also run the ATF cleaner and re-run the MGTools. The log is below.

Let me know what's next.

By the way, after we're done, what anti-spyware programs do you recommend keeping around? Which one is best for resident protection?

Thanks,
MH

 

Hi mhennigar!

Well, slow and steady as she goes ...

Please go to add/remove programs and see if this is still there. If so uninstall it:
- Java 2 Runtime Environment, SE v1.4.2_03

Then go to post 8 of this thread and run Avenger again only using the contents of the following box this time. (This may or may not work, but I like to try the easy way first.)

Rerun ATF Cleaner after you run Avenger and post the Avenger log and a fresh MGlogs.zip (which are gotten by running MGTools.exe located directly under C: and the MGlogs.zip should be in the MGTools folder under C.

abri

 

OK, I removed the Java Runtime app, although I chose not to reboot to "finish configuration" before moving on to Avenger. Avenger didn't work, as "not valid script" (error log attached).

 

Sorry, that was probably me. Please try Avenger again with the following box contents:

If it runs like it's supposed to this time, please then follow it with ATF Cleaner as per the instructions in post number 8.
abri

 

OK, it worked this time, and I've run ATF and MGTools. You'll notice that the key ending in "0000" had a problem, but it's gone from the registry according to Regedit (it was inside the directory that the first line of code deleted). The Avenger and MGT logs are attached.

Thanks,
Matt

 

Hi mhennigar!
Your logs are clean. If you're not having any further problems, please run our final clean-up instructions in the box below:

abri