troj/virtum-gen

hey there, i've tried sophos's method of removing this trojan but with no results i've also followed one of the instructions of one of the threads but its still there. help would be much appreciated! =) thanks! i've uploaded the log from MGtools and also avenger.

 

Hi ditto,
Welcome to Major Geeks!

In the READ & RUN ME FIRST, we request that you go to Start / Run and type in msconfig and click on ok. In the Window that opens you are instructed to set your computer into normal startup mode and then run several scans which include the scans resulting from installing the MGTools. Please follow these instructions and then attach the resulting logs to your next post. I hate to ask you to rerun those you've done, but the logs resulting from the installation of the MGTools only need a fairly fhort scan and I need for you to be in normal startup mode. I've looked through your logs already and there are a number of files which need to be deleted, but it will save time if we can do everything in the right order. Since you have already installed the MGTools, after you complete the other instructions in the READ ME, you need only go to the C:\MGTools folder and find the file called GetLogs.bat. Double click on it to run it and then attach the MGlogs.zip with the other two logs.

Thanks.
abri

 

Hi ditto,

I was able to get the following from your current logs. Please continue as follows:

1) Go to add/remove programs and uninstall the below:
Java(TM) 6 Update 2
Java(TM) 6 Update 3

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK
FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\hgGwWQhg.dll
O2 - BHO: (no name) - {315AE683-318E-4302-BF17-EE2CC5DAA28B} - C:\WINDOWS\system32\xxywWpqP.dll (file missing)
O2 - BHO: {a7ec1c02-2728-8ff8-48b4-42257c1718d5} - {5d8171c7-5224-4b84-8ff8-827220c1ce7a} - C:\WINDOWS\system32\ihxbyipj.dll
O2 - BHO: (no name) - {7ECFCFBA-BCCC-4F4B-AC49-675EDAB224FB} - (no file)
O2 - BHO: (no name) - {87468A2D-3724-4C13-BFAC-6795AE7B5C78} - (no file)
O2 - BHO: (no name) - {A615CF93-27FC-414A-BF20-4DF32241FDE1} - C:\WINDOWS\system32\nnnoNeEx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [543dcc99] rundll32.exe "C:\WINDOWS\system32\wjclrwkf.dll",b
O4 - HKLM\..\Run: [BM570eff05] Rundll32.exe "C:\WINDOWS\system32\ndxrmjhh.dll",s
O20 - Winlogon Notify: hgGwWQhg - C:\WINDOWS\SYSTEM32\hgGwWQhg.dll


3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now? I will be gone for a couple of days.

abri

 

hey abri, i've done what you asked me to do in you first reply and here are the logs, do you want me to do the rest now? or when you've looked through the logs? i hope i've gotten the materials you needed!

thank you soo much!

 

hey abri, i just did what you asked in the reply here's the MGtools log.

things are faster now and the pop-ups stopped but im not too sure yet. as soon i scan the sytem one more time i'll let you know.

thanks!!
ditto

 

hey, my computer's running more smoothly now, but it does get a bit laggy at times but not too often

btw, when i did what abri told me to do and i did a full scan using sophos nothing turned up but as i was using the internet erm, sophos had like little pop-ups saying i had infected files from trojan and stuffs. does this mean that the virus is still there? it has not gave me any warnings yet though so far

thanks soo much
ditto

 

Hi ditto,

For the slowness, go to add/remove programs and uninstall the older version of Spybot which is version 1.4. Check through all your add/remove programs and take out any programs that you don't use. Also, check your Sophos settings and see what scans it might be running in the background. Some realtime protection is needed, but some of the security programs have added in a lot of features which cause a drain on the system. Also, look at what settings you have in your browser. If you're using IE7, the pfishing filter takes up a lot of resources. What is Uniblue doing?

Combofix was temporarily removed from the READ & RUN ME FIRST instructions about the time you were running your scans. If you haven't run that, it would be a good idea to go to the XP Cleaning Instructions and find the Running Combofix link under STEP 2 of that page. Follow the instructions and attach the resulting log with your next post.

If you continue to get pop-up warnings from Sophos, then you may still have malware on your system. If you go to the Using BitDefender Online Scan you can run this online scan using Internet Explorer. Also, this one is good: Using ESET's Online Scanner

See if either of these pick up the same things Sophos is picking up.

abri

 

hey, i did a re-run of sophos and it says that the trojan is still in the system. i attached the logs for the combofix as well as sophos

thank you,
ditto

 

Hi ditto,
Did you run the BitDefender and Eset online scans as I requested? You will see when you go to Alternate Scans and find these two, that there are links which tell you how to run them so they will produce a log we can use. Please attach the results as they are described in the instructions when you finish.
Thanks.
abri

 

i tried running the scans but everytime i go to either sites it asks if i want to install the softwares, and according to the instructions im not suppose to but everytime i click "dont install", both of the scan would not be able to load. so should i install them?

thanks,
ditto

 

Hi ditto,

If you are referring to the instructions for running the BitDefender online scan, there should not be anything you need to install. I'm wondering if you got this message for the online or the offline scan?

Please do the following and let me know how this goes first:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK
FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Windows live Messenger] msn.com

After you click fix, just close hijackthis.

abri

 

hey abri, if i do that one the hijack this would it delete my windows live messenger? because i use that quite frequently and for the bitdefender i ran the online one and they stilll did ask me to install it i attached the screen shot below

thanks
ditto

 

Hi ditto,
Normally when you click on the link at the address we list for BitDefender here at our website http://www.bitdefender.com/scan8/ie.html you will get a window with the words I agree on it. After you click on this, you get the words start scan or something similar. I will ask Chaslang to look at this.
abri

 

Hi ditto,

BitDefender, like Panda, requires the installation of some files if youi've never run it before. Once you're run it, those files will still be on your computer and won't need to be reinstalled each time.

The entry in your HijackThis log referring to Windows Live is a malware entry. It is in the wrong location and has the wrong name to be the legitimate file. If you fix this entry, you may not need to run BitDefender. Try the instructions in post 13 and let me know how this goes.

abri

 

hey sorry i didnt do the hijack this earlier, but i've done it now and i've attached the logs im going to run sophos and i'll get back to u as soon as possible

thanks,
ditto

 

i did a rerun of sophos and the virus is still there and i've done bitfinder as well but i dont know why in the save as type box there was no *txt so i could not save it in that format only in the *html format. so what i did was i opened the file in microsoft frontpage copied the information and pasted it into word and then saved it as *txt. i hope thats ok =)

thanks
ditto

 

Hi ditto,
Please show me your most recent scan from Sophos. I would like to compare it to the BitDefender one. Also, did you get any logs for the Avenger fixes you ran? If you have an Avenger.txt log would you attach that as well?

Do you know what the following entries belong to? Do you need to have the 015 entries in your trusted zone?

abri

 

hey abri, i dont seem to have any avenger logs. but i have attached the sophos logs.


thanks!
ditto =)

 

Hi ditto,

Please delete the following folder: C:\Program Files\BearShare

Then I would like for you to do the following:

• If you installed Combofix to the desktop and renamed it cf.exe, remove it by going to Start/Run and copy-pasting in "%userprofile%\Desktop\cf" /u
• Check for the following and if found, remove them as well by deleting them: ComboFix.exe (if it wasn't renamed), C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
• Next delete all files related to Avenger
• Then I would like for you to delete the cache in your Internet Explorer browser. This can be found under Tools / Empty Cache
• Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
• Open the MGTools folder and delete the contents.
• Then delete the folder itself.
• Look for any leftover logs on your desktop and if found delete them
• Delete the file SAV.txt which will be the same one you attached to your last post.
• Run CCleaner
• After you've completed the above, please follow the instructions at this link for setting a clean restore point. Disable and Enable System Restore!

After you've finished all of the above, please run Sophos again and attach the log to your next post.
abri

 

hey, i've managed to do most of the steps but i couldnt delete the SAV.txt. but i have attached the logs again as i just did a scan

so sorry that this is late


thanks!
ditto

 

Hi ditto,
If you can't delete the SAV.txt, then open it by double clicking on it and delete the contents of it. Then run CCleaner.
abri

 

hey abri,

ive been trying for days to delete the contents, but i cant seem to be able to, whenever i delete the contents and try and close notepad, a message will pop up asking if i would like to save it, whenever i click yes, it'll say that the path is incorrect, also i have all these new files and folders, in my c:, d: drives that i have no idea where they came from. the folders are names "recylcer" "config.msi" or "system volume information" , there are now files that are in my folders that i dont recognize. what am i suppose to do with them?


thanks,
ditto

 

Hi ditto,

I believe what you are seeing in your c and d drives are the files and folders which are normally hidden. When we have you run the MGTools, we make all your files and folders visible so that malware can't hide. These can be set back to hidden when we finish. Do not delete any of them.

As for the SAV.txt log, I think we're going about it wrong. This is a file produced by Sophos which tracks all of the viruses it finds. What seems to be happening is that each time you do a scan, it finds the things it already found and it adds them to the log. It's quite possible that this file has been set up so it can't be deleted. Is there a setting in Sophos which will allow you to delete quarantined items or clear your logs or not produce logs?

abri

 

hey abri

i found logging levels in sophos, there are, none, normal, and verbose. so do i just set it to none so that it wouldnt produce any more logs?

also in the quarantine list, at the bottom there's a "clear from list" option, so do i just clear them?

thanks,
ditto =)

 

Hi ditto,

"clear from list" means you are putting something back on your computer that was quarantined in error. You don't want that.

Please go here : www.sophos.com/sophos/docs/eng/manuals/sav2kxp2003_men.pdf

and download this file and put "clear from list" into the search bar. You can use any pdf reader, but if you don't have one, I recommend Foxit Reader which you can download here at the site at this address: http://www.majorgeeks.com/downloads5.html

The list is alphabetical so scroll down till you get to Foxit Reader.

In the section that comes up with this search, you'll find the instructions for clearing the quarantine.

As for your logging options, the idea of "verbose" appeals to my sense of humor (but it could be useful as well). If you decide on verbose, I would figure out how to empty the quarantine more frequently so the log doesn't get out of hand.

Let me know how this goes.
abri