malware help

hi!

i've had this problem with the virtumonde or vundo trojan last dec 28, 2007. i tried using vundofix.exe but it didn't work. so i followed the steps used in removing malwares. the malware was removed on jan 4, 2008. And i just noticed that my drives D and E have gone missing today, jan 8, 2008. what happened and what should i do?

here are the logs just for reference.

thanks.

 

Hi jvicpogi!
Welcome to the Malware Forum!

I can see several things from your logs. Your computer is still infected. Please do the following:

1) You have two antivirus programs running. This is very bad for your computer. Please decide if you are going to use Avast or Nortons and then uninstall the one you don't want. Avast can be uninstalled via add/remove programs. To unintall Nortons/Symantec, you need to run the Norton Removal Tool (SymNRT) Both are excellent programs. Symantec requires more resources and costs money.

2) Now go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {73E96991-4BF7-4D5E-B008-74E34363CF2C} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: (no name) - {98C88B26-3860-490F-B4FA-1A280EFC612D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {BDE481C3-1450-4414-A4AA-B630F0F1C91B} - C:\WINDOWS\system32\sstqo.dll (file missing)

After you click fix, just close hijackthis.


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
Disable/Remove Windows Messenger


5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner in the default setting with the Windows tab as the active one. Do not check anything which is not already checked. After you hit the Run Cleaner button, there will be a warning that all the files will be permanently deleted. Click on ok and allow it to run. When it's finished, just close it.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi! Thanks for the help. Here are the logs.

 

Hi jvicpogi!

I see yet another antivirus and firewall software - Agnitum - Please uninstall this software. Your computer is adequately protected with Avast and Outpost. Your computer can become non-functional when you have more than one antivirus program running.

Please go to add/remove programs and look for Agnitum. If you find it, uninstall it.

Next, (whether you find Agnitum or not) continue as follows:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Event Manager
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above steps to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • Symantec Settings Manager
  • Symantec Lic NetConnect service
• Click OK until you get back to Windows.

• Next, Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ccEvtMgrinto the box that opens, and press OK
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • ccSetMgr
  • CLTNetCnService
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now: (If you don't find the following entries, just close HijackThis)


O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

And now, go to Windows Explorer and look for the following folders. If found, delete them:

C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\Horny Peter\Application Data\Symantec

Finally, I would like for you to disable your guest account. Go to start / settings and look for User Accounts. Make sure the guest account is disabled or stopped.

After you finish the above, please delete the contents and folders of your nprotect bins which are the Norton Protect bins where old files you've thrown away are stored. Delete the contents and then the nprotect folders themselves.

When you finish the above, run CCleaner.

How is your computer running now? Are your malware symptoms gone?

abri

 

I believe the malware is gone. My anti-virus have not detected any. And my pc is performing well.

Though, I'm just curious, why did my microsoft office, spyware blaster, apple update, quicktime plus, Nero, and some other programs get high lighted. The start menu seems to believe they are new programs installed.

Thanks for all the help!

 

Hi jvicpogi!
I don't know why they got highlighted. Each person's computer is a little different. Sometimes the removal of viruses leaves changes to the system. In this case, I would wait and see if that problem resolves itself.

If you aren't having any other malware issues, please do the following:

abri

 

Cool! Thanks for the help.

I've done as instructed. Should i delete the MGTools.exe file too, the on asked to be placed on drive C:?

The pc's running faster now during startup and the highlighted programs have disappeared.

Though some thing's wrong with the task bar? from time to time, the clock disappears along with the other notifications, and their tab increases - taking up half of the screen. There was even one instance where my start menu disappeared.

 

Hi jvicpogi!
Because this is not a constant, but an intermittent problem, I don't know if it's related to malware. If you would like, you can try the online scan that Panda does. They pick up a lot of odd things. Go to Alternate Scans and look for Panda Active Scan under the Free Online Scanning Tools. You have to run this with Internet Explorer and you need to have Active X enabled. Be sure to have it save a log and attach the results here.
abri

 

Yikes!

My Avira detects a file in panda which is blumblebee. here's a gif picture. of what appeared.

 

Check your task manager (ctrl alt del) for this program: RUNDLLW32.EXE
If you find it, hightlight it and click on end process. Close the Task Manager and then reopen it and make sure this program is no longer running.

If you find the above, please do the following. Let's see if we can find more instances of dcads:

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens copy and paste in the following:

Rundllw32.exe

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

Please go to Alternate Scans and scroll down to Free Online Scanning Tools. Look for the one called Trend Micro's Free Online Virus Scan and run that.

Let me know how this goes.

abri