Malware successfully removed?

Hi

I have a laptop which has picked up a malware infection (Virtumonde I think), the symptoms of which were IE slow to open, popups appearing, and Avast antivirus flagging up various Trojans. I've gone through the READ AND RUN ME FIRST instructions, and this does seem to have improved things. I don't know if it's completely clean now though, so if anyone could take a look at the logs and let me know if all looks OK that would be great.

Thanks
Ian

 

Here's the remaining log.

Ian

 

Hi lanc2
Welcome to the Malware Forum!

I'm looking at your logs and will post you a set of instructions as soon as I'm done. Thanks for being patient.

abri

 

Hi lanC2,

There are still some bad files on your computer and a few other items of general maintenance that will keep your computer from being as vulnerable to new viruses. PLease do the following:


1) I would like for you to begin by stopping a service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SymWMI Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

2) Now we're going to delete the Service
Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis.
instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
Click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type SymWSC and press OK.
OK any prompts, close HijackThis. Do not restart your computer. We will do this later.


3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0CAA7C01-C584-4746-8A80-3796F3E8E369} - C:\WINDOWS\System32\opnkhiig.dll (file missing)
O2 - BHO: (no name) - {7A8106A8-68F3-4460-A4ED-E93F38F9E2CA} - C:\WINDOWS\System32\wvwxx.dll (file missing)
O2 - BHO: (no name) - {E1F5FF6C-63B5-4791-918B-AD7F817EDCE6} - C:\WINDOWS\System32\geBsrPHY.dll (file missing)
O2 - BHO: (no name) - {F325A476-F1A8-4502-BE3E-016B5BB363D3} - C:\WINDOWS\System32\opnonkHB.dll (file missing)
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [263f0e4a] rundll32.exe "C:\WINDOWS\System32\xnobgmlo.dll",b
O4 - HKLM\..\Run: [BM250c3dd6] Rundll32.exe "C:\WINDOWS\System32\qwbvusqo.dll",s
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: khffdef - khffdef.dll (file missing)
O20 - Winlogon Notify: urqrpmno - urqrpmno.dll (file missing)
O20 - Winlogon Notify: yayvUOgE - yayvUOgE.dll (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


After you click fix, just close hijackthis.


6) Download and install Erunt. Use it to create a backup of your registry.

7) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri

Thanks a lot for your help.

I ran your instructions, and noted the following issues (which may or may not be important!), as per your numbering:

1. The service was already stopped, but I disabled it anyway.

2. When I tried to delete the service I got a message saying "The service you entered is system-critical! It can't be deleted".

5. The following entries were not present:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

When I rebooted after Avenger I got an error message:
RUNDLL
Error loading C:\Windows\system32\qwbvusqo.dll

I think that message may have already been appearing at startup anyway (this laptop is normally used by a colleague).

IE seems to be running more smoothly since completing your instructions.

Thanks
Ian

 

Hi IanC2,

Just a few things left:

1) Delete the contents of this directory: (windows won't allow you to delete files from the current date)

C:\Documents and Settings\Administrator\Local Settings\Temp\

2) I would like for you to begin by stopping a service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to LiveUpdate - Symantec Corporation
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

3) Now we're going to delete the Service
Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis.
instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
Click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type SymWSC and press OK.
OK any prompts, close HijackThis. Do not restart your computer. We will do this later.


4) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [BM250c3dd6] Rundll32.exe "C:\WINDOWS\System32\qwbvusqo.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE


After you click fix, just close hijackthis.


5) Use Erunt. to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri

That's all done. I got the same error message as before when I tried to delete the SymWSC service though.

Also, the following was not present in HijackThis:
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Things seem to be running OK. The RUNDLL error message is no longer appearing.

Ian

 

Hi lanC2,

We are making progress and I hope not far from completion, but there are a few more files that need to be removed. Please continue as follows.

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

optionally fix this as well:

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

After you click fix, just close hijackthis.


3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\glnvuwxf.exe
C:\WINDOWS\system32\xfgpvi.exe
C:\WINDOWS\system32\hhexwv.exe
C:\WINDOWS\system32\mqvdayft.exe
C:\WINDOWS\system32\vdsalknk.exe
C:\WINDOWS\system32\ehtco.exe
C:\WINDOWS\system32\jeog.exe
C:\WINDOWS\system32\javaws.exe
C:\WINDOWS\system32\skewxzhg.exe
C:\WINDOWS\system32\isbs.exe
C:\WINDOWS\system32\abay.exe
C:\WINDOWS\system32\veyler.exe
C:\WINDOWS\system32\lmfvhids.exe
C:\WINDOWS\system32\ppcpyep.exe
C:\WINDOWS\system32\vygbxmr.exe

DIRLOOK:
C:\WINDOWS\system32\bits[/B]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Comfofix or cf log.


Let me know how things are running now?

abri

 

That's all done. I had to split the combofix log into two parts, as the single file exceeded the permissible file size.

Things seem to be running OK at the moment.

Ian

 

Hi lanC2,
I think we got it. Please do the following. The registry will remove some settings that Combofix adds but doesn't remove and the instructions in the bottom box are to remove all the tools and logs we put on your computer that you don't need anymore. If you want to keep HijackThis and the backups, follow the alternate instructions indiated by the red *

First:
copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

After you complete the above, you can follow the instructions for the final cleanup which will remove the logs and tools we had you put on your computer. You'll also be asked to wipe all your previous restore points and set a clean one. (I recommend you do this) If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in brown at the bottom of the box.

abri

 

Hi abri

Everything went OK. Thanks a lot for your help - it's much appreciated.

Ian

 

You're welcome. I'm really glad.
Enjoy your computer!
abri