virtumode problem

Almost a month ago, I tried sending a huge file out of Outlook, by mistake. Outlook says that it's sending it but it doesn't show up in the actual outbox folder. I don't know if that has anything to do with our trojan problem, but that's when it started. There are numerous people that use this computer so it could be anything that anyone has downloaded.

I couldn't download combofix. I've tried many times over the last few days and can't get it downloaded. So I don't have a combofix log.

Spybot finds malware and virtumode. When it tries to "fix" the virtumode, it restarts the computer and can't get rid of it.

I tried vundofix, it can't delete it and will let me go into a perpetual cycle of restarting the computer without being able to fix it.

I tried attaching the requested logs but as of this first post, the attachment window won't open, I get an error on the page. I'll try again in a new post.

 

Since I last posted (about 5 min ago) I was able to get the mglogs.zip to attach but I can't access where I saved the AVG log.

 

Now I was able to get the avg log to upload. I noticed that I have a red X next to the C: drive.

 

Hi kartim!
Welcome to the Malware Forum!

There was a thread with the red X next to C recently: http://forums.majorgeeks.com/showthread.php?t=146933
I'm looking at your logs. This takes some time, so please be patient.
Thanks.
abri

 

Hi, I borrowed my friends laptop and I was able to get combofix to download and I have the txt attached. I redid all of the RUN ME FIRST. Here are the new logs. I know I have more to do but this is what I can do until I understand what files need to be delelted. Thank you!

 

oops, I forgot the other 2 logs

 

Hi Kartim,

1) [What is in these folders? (Do not open any files)

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142160}
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142160}
C:\j2sdk1.4.2_16
C:\lj1010


2) Go to add/remove programs and uninstall the below:

Java 2 Runtime Environment, SE v1.4.2_16"
Java 2 SDK, SE v1.4.2_16"
Java(TM) 6 Update 2"
Java(TM) 6 Update 3"
Java(TM) SE Runtime Environment 6 Update 1"
Java(TM) SE Runtime Environment 6


3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O8 - Extra context menu item: &Search - ?p=ZK

Do youi know what each of the following is? If not, please fix them as well.

O15 - Trusted Zone: http://www.reflexive.com
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

After you click fix, just close hijackthis.

Let me know when you've finished with the above so we can continue with the next steps.

abri

 

I don't know what the first 2 are but I do know the last 2.

Java is done.

I know the reflexive one and left it. I don't know the other one so I fixed it.

 

Hi kartim,
Please post me a new set of MGlogs.zip which you can get by running GetLogs.bat.

GetLogs.bat is in the MGTools folder under C and the logs you will find afterwards directly under C.

I have to make sure no new Vundo files came in after you rebooted. Then we can get them all out at once.

Thanks.
abri

 

logs are attached. I'm assuming that there still is something since I still have the red X

 

Hi Kartim,

Please do the following:

1) Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Download and save to RenV.exe from following link to Desktop (
must be on the Desktop)

• Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).
  Code:

  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas   .exe
  C:\Program Files\Trend Micro\Internet Security\UfSeAgnt .exe
  C:\WINDOWS\system32\ctfmon .exe

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log and the RenV log.


Let me know how things are running now?

abri

 

The avenger log may not be accurate. Apparently my husband had run it before I got home and didn't tell me until I had run it. The renv and the getlogs were run once.

There still is a red x by the c: otherwise things are running better.

 

Hi Kartim,

What is your J drive?

Please uninstall AVG Antispyware. To do this, first right click on the icon in the lower righthand corner of the desktop if the program is active, and turn it off. After this, check under Start / All Programs to see if AVG Antispyware provides its own uninstall program. If so, run it. If there isn't one, please go to add/remove programs and uninstall it from there. After you uninstall it, please reboot your computer.

Next, see if you can find the following file in Windows Explorer:

C:\WINDOWS\system32\542AF8D597.sys

If so, rename it to 542AF8D597.sys.zzz by right-clicking on it and selecting rename. If you can't find it, tell me. It should be directly under system32 probably at the top of the files (not the folders).

If renaming this driver does not cause any consequences, I'll have you remove it with Avenger. Let me know how this goes.
Thanks.
abri

 

J: drive was a second hard drive we installed to keep pics, and other crap on that got bombarded with more stuff and c: drive isn't any better.

I so far don't have any problems with the C:\WINDOWS\system32\542AF8D597.sys being renamed.

 

Hi Kartims,

Can you tell me what's in these two folders? (Don't open any files!)

Now, please go back to step 11 and run Avenger again only this time use the contents of this box:

Now run CCleaner at the default setting with the Windows tab as the one on top.

After you've done the above and removed AVG Antispyware, please run GetLogs.bat. GetLogs.bat can be found in the MGTools folder under C and after it runs, you will find the MGlogs.zip as a file directly under C:\

Please attach the MGlogs.zip and the Avenger log.

Is the red X still there?
abri

 

I have no idea.

I ran ccleaner. I had uninstalled AVG as of the last post. Avenger and mglogs are attached.

There is still a red X.

 

Hi kartim,

Are you able to open these two folders and look inside? (Do not open any files inside the folders) I need to know the contents. If you are unable to open the folders, can you right-click on them and give me the information in the properties window of each one?

Also, do you know when the red x first appeared? You first noticed it when you answered this thread in post number 3. Is that when it first appeared? I am going to be gone, and will ask one of the other helper fighters to continue helping you. Since the problem with the red x has come up once before and did get resolved, it should be possible to figure out where it's coming from.

abri

 

Sorry, I misunderstood you.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\{35A3A4F2-B792-11D6-A78A-00B0D0142160}
1033.mst and Java 2 SDK, SE v1.4.2_16.msi

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142160}
1033.mst Java 2 Runtime Environment, SE v1.4.2_16.msi

It was probably about January 11 that I noticed the red X. But I had forgot to mention it in my origanal post. I had tried to do a system restore but there weren't any restore points. I tried for about a week to get rid of viruses to no avail. I did google search after search. Then I remembered that I had stumbled upon this site last year and what a great help you all are.

Thank you for all of your help.

 

Hi Kartim,

If you already removed Java 2 Runtime Environment, SE v1.4.2_16.msi in post 7, please go ahead and delete these two entries.


Then I would like for you to do the following:

Please go to Alternate Scans and scroll about halfway down the page where you'll see a list of rootkit scans. Please run Rootkit Revealer and Sophos. Also, please run Silent Runners

After you finish the above scans, please run GetLogs.bat (in the MGTools folder under C) and post a fresh set of MGlogs.zip (located directly under C above the superman icon)

Attach the results of the rootkit scans together with the MGlogs.zip. You may need two posts to do this.

abri


Thanks.
abri

 

first 3 logs

 

I deleted, ran all things, attached logs

 

Sorry about the log, not sure what I was thinking. If I need to run it again, let me know. Thanks.

I contacted Trend Micro and kdefense in not part of their software however they did say that C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\package\kdfapi2.dll is supposed to be there. I don't know if they actually checked or if they are assuming that it is because of where it's located.

The red X is the only current problem. Everything else was resolved.

 

I checked in add/remove programs. Kdefense is not listed. The person I talked to at TM told me to delete the kdfense folder. I didn't want to do it until I got the ok from you in case I need to do more than just delete the folder. I googled a little and saw a couple other people who have it. After they delete the folder, upon restart it comes back. So they are assuming that it's supposed to be there from TM, like you said, as a keylogger protection.