Help Removing Persistent Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hagemeister, Dec 13, 2008.

  1. hagemeister

    hagemeister Private E-2

    My original problem was Virtumonde, identified by my Spysweeper sweeper. Multiple scans and reboots would not clear it and I began to get numerous popups offering virus removal tool s (Antivirus 2009).

    I followed the Malware Removal procedure and am attaching the first three logs. After following the procedure, I have developed an additional problem. Internet Explorer launches only one out of ten times. The other nine times, a process is created in Task Manager, but no application or window.

    Thanks in advance for your help.
     

    Attached Files:

    hagemeister, Dec 13, 2008
    #1
  2. hagemeister

    hagemeister Private E-2

    Here is the fourth log.

    Thanks again.
     

    Attached Files:

    hagemeister, Dec 13, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Part of your problem is you are running multiple AV programs:
    Webroot AntiVirus with AntiSpyware
    Norton AntiVirus
    Decide which one you want to keep and uninstall the other!

    I am not seeing much in your logs, but lets do this:
    Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):


    Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\iperajoz.ini

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and tell me what problems you are still having.
     
    TimW, Dec 15, 2008
    #3
  4. hagemeister

    hagemeister Private E-2

    TimW,

    Thanks for your reply. I ran Combofix to eliminate the two IEXPLORER lines you referenced. I uninstalled the expired version of Norton that was on the machine. I created the fixme.reg file and merged it with my registry. Iwas unable to find the iperajoz.ini file in the C:\windows\system32 folder. A Windows search found it quarantined as a .VIR file in SuperAntiSpyware. I ran and GetLogs bat in MGTools and have attached the zip below.

    The various scan tools still find a Vundo variant. I have attached the log file from SuperAntiSpyware and AntiMalware which show it to be related to CLSID key {ec43e3fd-5c60-46a6-9707-e0b85dbdd6c4}. The various fixes/reboots from these programs do not appear able to remove it.

    I continue to have difficult starting an Internet Explorer window. Most attempts still end with no window launched but only an additional IEXPLORER process in Task Manager.


    Thanks again for your help.
     

    Attached Files:

    hagemeister, Dec 16, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    According to your MBAM log:
    Code:
    Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
    Please re-run it and have it fix what is found.

    Please run Elite Toolbar Removal

    Also run Norton Removal Tool to remove any left over services or processes.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and tell me how things are running.
     
    TimW, Dec 16, 2008
    #5
  6. hagemeister

    hagemeister Private E-2

    TimW,

    Thanks for your suggestions. I had previously clicked on Quarantine/
    Delete in SuperAntiSpyware and AntiMalware. Both indicate a reboot is necessary to manage the removal, but neither managed to get rid of the infection.

    I ran both tools you recommended and the malware was still present. I did find, however, the source of my Internet Explorer startup difficulities. SpySweeper allows me to disable individual BHO in its Explorer shields. When I deactivated the SuperAntispyware BHO, all attempts to start IE proceeded normally. Evidently the SASW BHO interferes somehow with the SpySweeper IE BHO Shield.

    Anyhow, the system is running well, but the same Vundo BHO trojan is indicated in the sweeps. Any other ideas on getting rid of this malware? Thanks again for your help.
     

    Attached Files:

    hagemeister, Dec 17, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is why we ask you to disable all av and as programs since they can interfere with the fix.

    Please do so and then lets try this:

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now reboot and tell me how things are running. If you get another malware notice, please give me the exact message.
     
    TimW, Dec 17, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds