BHO & Trojan Agent CIF problems

Hi guys,

I've been battling a virus for the last few days. My up to date Sophos Anti Virus spots it but hasnt been able to kill it, even after following the recovery steps.

I have rigidly followed all the steps set out in your guidelines for troubleshooting and recording logs. I have attached the logs from Bit Defender, Panda Active Scan and Hijack This.

Thanks for your help

 

Download
- Pocket Killbox

Empty the Recycle Bin
Empty the Internet Explorer Cache

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Follow the directions for the following:
Running Hoster
SpywareQuake & SpyFalcon Removal Procedure

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Boonty Games - BOONTY ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Boonty Games - BOONTY

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the log from SmitRem and a fresh HijackThis log.

 

followed all the steps...still got the same problems unfortunately

logs attached

thanks

 

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt when finished.

 

winpfind scan results attached - thanks

 

Follow the directions for Virtumonde aka Trojan Vundo Removal.

Post the VundoFix log and a fresh WinPFind.txt.

 

vundofix log attached, it didnt find anything amiss. I've been running the WinPFind scan for over 4 hours and it hasnt yet finished...I'll leave it running through the night and post the log in the morning if it has completed.

My screen is just non-stop with sophos anti-virus messages saying it has detected the virus in a new location but access to the file is denied.

Also non stop popups from sygate firewall warning of content loaders.

The computer is pretty much unuseable at the moment as I just have to keep closing the pop up windows.

 

Uninstall the following:
Java version 1.4.2.3
Java version 1.5.0.4
Java version 1.5.0.6

Terminate WinPFind

Follow the directions for Using GetRunKey and Using ShowNew.

Post both runkey.txt and newfiles.txt, as attachments, when finished.

 

The WinPFind scan eventually finished during the night, I have attached it here along with the two further scan logs you have requested.

Many thanks for your help

 

You still have a Smitfraud & a Virtumonde infection.

Rename hijackthis.exe to analyse.exe.

Follow the directions for:
SpywareQuake & SpyFalcon Removal Procedure
Virtumonde aka Trojan Vundo Removal

If you already have these tools on your computer delete them and download again.

Follow the directions closely do not skip anything.

Post the following logs.
- SmitRem
- VundoFix
- HijackThis
- WinPFind
- GetRunKeys
- ShowNew

You will need 2 posts for all 6 logs.

 

Took a while to get all the scans together....problems are still there though

Vundo couldn't remove one of the infected files, so I removed this manually after I restarted.

See 2nd post for rest of scan logs

 

attached

 

Move HijackThis to C:\Program FIles\HJT.

Uninstall the following versions of Java:
Java version 1.4.2.3
Java version 1.5.0.4
Java version 1.5.0.6

If these old versions of Java are not uninstalled, the computer will remain vulnerable to infection.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

BHO still there after carrying out all steps. HJT log attached.

I was unable to remove C:\WINDOWS\system32\vtutt.dll
even though I was in safe mode at the time with nothing except explorer running. I then closed explorer and tried to delete through the dos prompt but I was still told the file was being used by another process.

The only version of Java I have installed as far as I can see is 1.5.0.7 There is no option in add/remove programmes to uninstall any version other than this.

Thanks

 

Those old versions are on the system. They were found by VundoFIx. Look in Program Files\Java.

Post a fresh WinPFind log. Looks like we will have to force Vundo to unload from memory and then delete it manually.

 

I had already removed the old versions from the programs folder also, but I ran a search and deleted everything on the drive that looked like it was linked to a previous java installation.

New WinPFind log attached

thanks

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vtutt.dll once and then click the kill button. After you have killed all of the vtutt.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of vtutt.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vtutt.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of vtutt.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of vtutt.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of vtutt.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\ixt0.dll
C:\Program Files\Common Files\{E427A035-0AE9-6153-0917-040412200161}\Update.exe
C:\Program Files\ToolBar888\MyToolBar.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Reboot to Safe Mode.

Open Windows Explorer navigate to and delete the following folders:
C:\Program Files\Common Files\{E427A035-0AE9-6153-0917-040412200161}
C:\Program Files\ToolBar888

Reboot to Normal Mode.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Looks like you beat it!

No pop ups on restart. Here's the new HJT log

Many thanks

 

Your HijackTHis log is clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

All done and working fine again, thanks so much for your help.

I'm going to buy a t-shirt to help support a great site

 

You're welcome.

The Tshirts are nice. I have one.