Can not clear out Virtumonde

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Corey124, Sep 15, 2005.

  1. Corey124

    Corey124 Private E-2

    Hey Majorgeeks.com guys... need a bit of help here :( I'm normally pretty good about removing viral infections from computers and such from my friends' PCs and whatnot ... but in this case I'm stumped.

    I started getting WinFixer popup messages, and have been battling them for a few days now. I read other forums and advice that other people were given - which seemed to work ... but only temporarily.

    I tried this forum, and went through everything in the Sticky before asking for help, as per all the threads that state so (-:

    I may have fixed the WinFixer popups (At least I hope I did), but ran into this gem of a problem:

    Currently I have ewido security suite active on my computer (as was suggested in a different forum), and it keeps alerting me that "C:\Windows\AppPatch\psav.dll" is infected with Spyware.Virtumonde .... and asks me to clean it... which I do. Yet every time I restart my computer OR open up IE, the same message comes up.

    I shutdown everything and rebooted in safe mode.... and cleaned that directory again with ewido, with no luck.

    I tried again with a² Free edition, which stated that it was cleaned successfully.... yet STILL, that file shows as being infected.

    TrojanScan stated that I had the Adware.Virtumonde infection. I noticed that was on the Symantec site, and that they had a removal tool for it.... so I tried those tools (Symantec Trojan.Vundo Removal Tool 1.2.4 and Symantec Adware.VirtuMonde Removal Tool 1.0.3) with no detections being found.

    I'm frustrated with this thing, and just about ready to format my HD and reinstall everything again (which, frankly, I hate doing because it's so time consuming ... and I'd rather just be playing EverQuest2).

    Oh, and just a sidenote: WinFixer hasn't been back for at least the last 3 hours, or so ...

    Thanks,

    Corey124
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are probably still infected. Please follow the steps below:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. Corey124

    Corey124 Private E-2

    Here is the log. Oh, and WinFixer popups are back :mad: Was a nice couple of hours with them gone, I must say, hehe. :rolleyes:

    Corey124
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


    Please print these instructions out for use in Safe Mode.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at. Iit should look like this
    • At this point press enter one time.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\AppPatch\psav.dll

    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\AppPatch\vasp.*

    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • The fix will run then HijackThis will open.
    • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    Unless you know the R1 line is valid, fix it too!!!
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fwalerts.zonelabs.com/fwalerts/fwanalyze.jsp?V103=Adok7w4YTCFwAwQAAIkAAAABAAAAAQAAAAEAAAABAAAAooYBADAxMDIJBAMAAQANAQBBHQAAAAAAAAACAAAA//8Q+,,,,Windows+XP-5.1.2600--SP,5.1.011.000,ExtBlockAll2,j5hvqhisiu3s4he7bhx644bu4g0,1,,&CL=en&LICFLAG=1&OEM=1012&SKU=0&Mode=1&Product=ZoneAlarm (obfuscated)
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\psav.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O20 - Winlogon Notify: psav - C:\WINDOWS\AppPatch\psav.dll



    • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    • Once your machine reboots please attach a new HJT log from normal mode.
     
  5. Corey124

    Corey124 Private E-2

    System Restore is off.... attempting the fix now. Thanks for the quick replies!

    Corey124
     
  6. Corey124

    Corey124 Private E-2

    Ok, ran the fix. One thing that did not happen; after closing HJT, pressing any key to force reboot did not work.... system just hung. )-: I was looking forward to ol' BSOD *sniff* HEHE. I had to power down the computer to get it to reboot.

    As soon as the computer booted up, I noticed that ewido didn't notify me that there was Malware, so far so good.

    I ran HJT, and here are the results. I did check and ran the fix on the old R1 line, and noticed it was back. I am using ZoneAlarm for my firewall, so it is possible that it is valid? I'm not sure.

    Thanks again, so far so good! :)

    Corey124
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Zonelabs is a valid site but there is no reason to have the R1 line. It is a link to a message about blocking access to port 137.

    I don't think you got the items fixed with HJT. They are still there. Just run HJT and select the below lines and fix them(make sure browsers are closed before clicking Fix)

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fwalerts.zonelabs.com/fwalerts/fwanalyze.jsp?V103=Adok7w4YTCFwAwQAAIkAAAABAAAAAQAAAAEAAAABAAAAooYBADAxMDIJBAMAAQANAQBBHQAAAAAAAAACAAAA//8Q+,,,,Windows+XP-5.1.2600--SP,5.1.011.000,ExtBlockAll2,j5hvqhisiu3s4he7bhx644bu4g0,1,,&CL=en&LICFLAG=1&OEM=1012&SKU=0&Mode=1&Product=ZoneAlarm (obfuscated)
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\AppPatch\psav.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O20 - Winlogon Notify: psav - C:\WINDOWS\AppPatch\psav.dll (file missing)

    Now exit HJT.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Then reboot and post a new log.
     
  8. Corey124

    Corey124 Private E-2

    Ran HJT again, and I think it' got them this time, WOOT! I don't see anything of concern left in the HJT log ... but then again, I'm no expert, hehe.

    Thanks for all your help! I don't think I would have ever figured all this out on my own ... and I would have ended up reformatting.

    I don't know how you guys (and gals) can know how to fix all this stuff ... would be interesting to learn.

    Corey124
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your clean now. To help keep you that way, make sure you follow the steps in the below:

    How to Protect yourself from malware!

    Keep reading the threads here and you will learn quite a bit.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds