"Unable to log you on..." malware problem

OK...so I recently got this problem after unwittingly getting malware on my laptop.

After a Prevx scan my laptop was noted to be infected with malware. The 3 following files were identified all in the windows/system32 folder -

1) mahwpdvl.dll
2) cbxrJhif.dll
3) vtuklkJB.dll

I manualy deleted the first dll (mahwpdvl.dll) but the other 2 files were locked.
I then manually edited the registry and removed keys pertaining to the above files.

The problem I now have is that upon reboot I get to the logon screen which then prompts me for my password which I have never used or setup prior to this.

I am unable to get into windows via any of the boot options (safe mode, command prompt etc).

Any ideas would be greatly appreciated !

 

OK..so I managed to remove the malware...but only after I had done an XP Repair install. Doing this let me log back into windows without any passowrd. once in Windows I removed the malware. Turns out it was Virtumonde. I used virtubegone.exe to remove. I then ran Spybot Search & Destroy and CCleaner to make sure it was gone for good. I hope this helps anyone else who comes across a similar problem.

 

Hi Captin007,
Welcome to Major Geeks!

There's no tool currently available that can get rid of Virtumonde. If you would like for us to check your logs to verify that your computer is actually clean, please go through the instructions in the READ & RUN ME FIRST and attach the requested logs.

Thanks.
abri

 

OK...so it seems there was still traces of Virtumonde. I have since run through the Malware checks suggested. Please take a look at my logs attached to see if theres any remaining threat.

Thanks in advance

 

Hi captin007,

You got most of it. I went through your logs and have a couple of questions left that I'm waiting for an answer on, but for the moment, please proceed with the following:


First some questions:

Do you have something called Cricket Scorecard by Express-India? You have a file on your computer which is installed by it called C:\WINDOWS\jestertb.dll which I've added to the Combofix fix below to be removed. If you know this piece of software, then you should remove this file from the fix before you run it. Just take it out when you copy/paste the contents from the code box. If you don't have Cricket Scorecard, I would recommend leaving it in the fix to be deleted.

Please do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Install the new Java if you haven't already. I think you have the installation program for it on the desktop.

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {0C3D1078-0B58-48E4-84DF-36B68833B5D2} - (no file)
O2 - BHO: (no name) - {5662A737-9A86-47E5-8319-F982393D1DDF} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

Can you tell me what the following are?

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

After you click fix, just close hijackthis.

5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::
C:\Temp\drivers

FILE::
C:\WINDOWS\system32\RBK56FB.tmp
C:\WINDOWS\SET84.tmp
C:\WINDOWS\SET87.tmp
C:\WINDOWS\TEMP\JET8D1D.tmp
C:\WINDOWS\TEMP\JET8D3C.tmp
C:\WINDOWS\jestertb.dll

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C3D1078-0B58-48E4-84DF-36B68833B5D2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5662A737-9A86-47E5-8319-F982393D1DDF}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Hi Abri

Firstly, a sincere thanks for all your help.

Anyway...I ran through the procedures you outlined. My lastest logs are attached.

Thanks again.

 

Hi bri

Can you take a look at the logs I attached below to see if Im clean.

Thanks

 

Hi captin007,

Do you know what the following refer to? Is this something you put into your computer that you know of?

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

There are two other unusual things showing in your logs which I'm still looking into. Thanks for being patient.


abri

 

Hi Abri...

thanks for your continued help.

Im not sure what those line could refer to. I have updated to IE7 and installed Firefox Beta RC2..both of these ran through a "Runonce" operation the first time I ran them. Is it possible that they are related to this? Im running on a Sony Vaio laptop...perhaps they are some specific Sony software?

 

Hi captin007,

Could you please zip the below 5 files in your system 32 folder and upload them here as an attachment? It's easier to see what they are if we can take a look at them.

C:\WINDOWS\system32\

legitcheckcontrol.dll.bak
RBK5700.bak
RBK5703.bak
wgalogon.dll.bak
wgatray.exe.bak


Also, do you know what all the following items are on your desktop?

"C:\Documents and Settings\matt\Desktop\"
12waye~1.url May 31 2008 73 "????????ú??????????1??????????? ????? ?????? ???2WAY???? ER217P-S:The Dynamic Store.URL"
ZIPHONE May 7 2008 "ZiPhone"
_FITNE~1 Apr 26 2008 "[fitness]"
~$stru~1.doc Jun 6 2008 162 "~$struct.docx"


Thanks.
abri