VirtuMonde Help Needed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by toclark2, Sep 2, 2005.

  1. toclark2

    toclark2 Private E-2

    Ewido found it while I was setting up the PC with the specified prevention applications..

    Confirmed the file is infected using the virtual total site.

    All the latest files from the support thread spyware, AVG, ZoneAlarm and the Virtumonde stuff too.

    From the VirtuMonde Thread:

    Did not catch the problem file.
    Did not catch the problem file.

    I did not run Pocket Killbox because I'm concerned that the files arent similar and I might do more harm than good by guessing the file process.

    I see that killbox is likely the solution, however, I'd like to have someone help identify all the potential files infected.
     
    toclark2, Sep 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Assuming you ran all other standard cleaning steps of the READ ME, then attach a HijackThis log for this PC.
     
    chaslang, Sep 2, 2005
    #2
  3. toclark2

    toclark2 Private E-2

    HiJackThis Log as requested...
     

    Attached Files:

    toclark2, Sep 2, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do realize that you never ran the complete READ ME FIRST on this PC?
     
    chaslang, Sep 2, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let’s start by getting rid of the bad item in your Trusted Zone. Then in the next message I’ll post a fix for the Virtumundo problem.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

     
    chaslang, Sep 3, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's start by downloading two tools we will need:

    - Process Explorer 9.2

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of fontutil.dll once and then click the kill button. After you have killed all of the fontutil.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    The repeat looking in winlogon.exe for the below DLL's and kill them if found:
    olems.dll, svcanti.dll, and winmfc.dll

    Next double click on explorer.exe and again click once on each instance of fontutil.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

    The repeat looking in explorer.exe for the below DLL's and kill them if found:
    olems.dll, svcanti.dll, and winmfc.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\fontutil.dll
    O20 - Winlogon Notify: fontutil - C:\WINDOWS\repair\fontutil.dll
    O20 - Winlogon Notify: olems - C:\WINDOWS\java\trustlib\olems.dll (file missing)
    O20 - Winlogon Notify: svcanti - C:\WINDOWS\repair\svcanti.dll (file missing)
    O20 - Winlogon Notify: winmfc - C:\WINDOWS\msagent\chars\winmfc.dll (file missing)

    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.


    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

    C:\WINDOWS\msagent\chars\winmfc.ini
    C:\WINDOWS\msagent\chars\winmfc.ini2
    C:\WINDOWS\msagent\chars\winmfc.bak
    C:\WINDOWS\msagent\chars\winmfc.bak2
    C:\WINDOWS\msagent\chars\winmfc.tmp
    C:\WINDOWS\msagent\chars\winmfc.dll

    C:\WINDOWS\java\trustlib\olems.ini
    C:\WINDOWS\java\trustlib\olems.ini2
    C:\WINDOWS\java\trustlib\olems.bak
    C:\WINDOWS\java\trustlib\olems.bak2
    C:\WINDOWS\java\trustlib\olems.tmp
    C:\WINDOWS\java\trustlib\olems.dll

    C:\WINDOWS\repair\svcanti.ini
    C:\WINDOWS\repair\svcanti.ini2
    C:\WINDOWS\repair\svcanti.bak
    C:\WINDOWS\repair\svcanti.bak2
    C:\WINDOWS\repair\svcanti.tmp
    C:\WINDOWS\repair\svcanti.dll

    C:\WINDOWS\repair\fontutil.ini
    C:\WINDOWS\repair\fontutil.ini2
    C:\WINDOWS\repair\fontutil.bak
    C:\WINDOWS\repair\fontutil.bak2
    C:\WINDOWS\repair\fontutil.tmp
    C:\WINDOWS\repair\fontutil.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log.
     
    Last edited: Sep 5, 2005
    chaslang, Sep 3, 2005
    #6
  7. toclark2

    toclark2 Private E-2

    All went according to directions.

    The "just in case" virtumonde were not located. The fontutil.dll was unregistered prior to deletion...

    New HijackThis log as requested.
     

    Attached Files:

    toclark2, Sep 3, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Your Virtumundo problem is gone. Just fix the below minor items and we should be done.

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)


    Let me know how things are working now!
     
    chaslang, Sep 4, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds