Request for help to remove Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by dobs, Feb 15, 2007.

  1. dobs

    dobs Private E-2

    I have been attempting to eliminate a malware infection for three long days now without success. There are occasions, particularly when connected to the internet, the malware grinds the machine into the ground and the mouse ceases to respond. Unplugging the network cable generally fixes the problem immediately for a while, until the machine is later almost frozen up and a shutdown is the only solution.

    Spybot suggested Virtumonde and Smitfraud are present and I followed both the VundoFix and Smitrem recommendations. (The VundoFix several times in Normal and Safe boot modes without success) So this is one mean peice of malware!

    BTW: I wanted to try Running SpySweeper on your alternative scans page but the link did not work for me.

    Attached are the first three logs for:

    VundoFix.txt
    Smitfiles.txt
    ActiveScan.txt

    The remainder, as per your READ ME FIRST instructions, follow in the next posting.

    Any advice on how onto fix the machine and I shall be very grateful.
     

    Attached Files:

    dobs, Feb 15, 2007
    #1
  2. dobs

    dobs Private E-2

    Other log files:

    ccleaner1.txt (original file exceeded 250k limit)
    ccleaner2.txt
    bdscan.txt
     

    Attached Files:

    dobs, Feb 15, 2007
    #2
  3. dobs

    dobs Private E-2

    More log files:

    runkeys.txt
    newfiles.txt
    hijackthis.log

    I was unable to rerun PandaScan because the machine froze up this morning as soon as the network cable is reconnected. Hopefully you will be able to use the ActiveScan results generated when followign the Smitrem procedure a couple of days ago.

    Running Spybot yet again found:

    Two tracking cookies: Avenue A. Inc and DoubleClick

    Plus Virtumonde.

    Let me know if the screenshot would be useful for analysis.
     

    Attached Files:

    dobs, Feb 15, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please set msconfig to normal startup.

    Run KillBox and delete these:

    C:\WINDOWS\system32\dqcogktd.ini
    C:\WINDOWS\system32\npqss.ini


    Please delete these thru add/remove programs in the control panel:
    Java 2 Runtime Environment, SE v1.4.2_01
    Messenger Plus! 3 & Sponsor"
    Messenger Plus! Live & Sponsor

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
    O2 - BHO: (no name) - {46B65489-7ABD-425D-8DF1-F5448498FB75} - (no file)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
    O2 - BHO: (no name) - {7C36A510-2214-414D-993B-D10D60E7A05B} - C:\WINDOWS\System32\jkkjk.dll (file missing)
    O2 - BHO: (no name) - {7FA3EE75-C9E3-4E36-8E58-495B9E3ABD02} - C:\WINDOWS\System32\awtqn.dll (file missing)
    O2 - BHO: (no name) - {A4BC46F0-E5B9-401A-8FF3-0AB74273518B} - (no file)
    O2 - BHO: (no name) - {D199B08D-ADCA-4326-9515-0C463B906889} - C:\WINDOWS\System32\fccaywv.dll (file missing)
    O4 - HKLM\..\Run: [Microsoft Telecoms Center] svcenter.exe
    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svcenter.exe
    O20 - Winlogon Notify: jkkjk - C:\WINDOWS\System32\jkkjk.dll (file missing)

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT

    Be sure to tell us how things are running.
     
    TimW, Feb 15, 2007
    #4
  5. dobs

    dobs Private E-2

    Dear Tim,

    First, many thanks for your help. I have followed the instructions and attach the three log files. The machine is running fine at the moment.
     

    Attached Files:

    dobs, Feb 15, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Feb 15, 2007
    #6
  7. dobs

    dobs Private E-2

    Dear Tim,

    Everything appeared to be OK so I ran through the cleanup procedures, customised the startup again when things seemed slightly slow.

    Running Spybot lists Virtumonde as still present, plus a few cookies it does not like.

    Attached are log files from custom startup mode for:

    hijackthis.log
    newfiles.txt
    runkeys.txt

    I shall post the logs from normal startup next.
     

    Attached Files:

    dobs, Feb 16, 2007
    #7
  8. dobs

    dobs Private E-2

    And the log files in normal startup mode are attached.
     

    Attached Files:

    dobs, Feb 16, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    These items are still showing in your logs.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
    O2 - BHO: (no name) - {46B65489-7ABD-425D-8DF1-F5448498FB75} - (no file)
    O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
    O2 - BHO: (no name) - {7C36A510-2214-414D-993B-D10D60E7A05B} - (no file)
    O2 - BHO: (no name) - {7FA3EE75-C9E3-4E36-8E58-495B9E3ABD02} - (no file)
    O2 - BHO: (no name) - {A4BC46F0-E5B9-401A-8FF3-0AB74273518B} - (no file)
    O2 - BHO: (no name) - {D199B08D-ADCA-4326-9515-0C463B906889} - (no file)
    O20 - Winlogon Notify: jkkjk - C:\WINDOWS\
    After clicking Fix, exit HJT.

    Now download and run Viftumudo. Attach the log and also attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT

    Be sure to tell us how things are running.
     
    TimW, Feb 16, 2007
    #9
  10. dobs

    dobs Private E-2

    Dear Tim,

    I have run the procedures as described, in Normal mode, and then rebooted the machine and rerun Spybot to regrettably find Virtumonde still present.

    Attached are the logs from the Virtumonde cleanup program, which reported that it could not find anything, a screenshot from Spybot plus the other three requested logs.
     

    Attached Files:

    dobs, Feb 17, 2007
    #10
  11. dobs

    dobs Private E-2

    Other two logs attached:
     

    Attached Files:

    dobs, Feb 17, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What is this?
    C:\\Documents and Settings\\All Users\\Application Data\\Dvd does film info\\Stupid platform.exe"

    Does the registry key that spybot reports exist?

    Your logs are clean otherwise.
     
    TimW, Feb 17, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do our final steps which may stop Spybot from catching the Virdu ..
    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Feb 18, 2007
    #13
  14. dobs

    dobs Private E-2

    That's a good question. The 'Stupid' exe does not exist in Add/Remove Programs and is not visible through Explorer. (I have set hidden and system files to be visible)
    I am not sure what to make of it?


    The reg key does exist and is attached as a txt file.
     

    Attached Files:

    dobs, Feb 18, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Turn off teatimer in Spybot and run:
    SuperAntiSpyware
    which should remove any last traces of the VSAdd-in.


    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then post a new GetRun, ShowNew and SuperAntispy logs
     
    TimW, Feb 18, 2007
    #15
  16. dobs

    dobs Private E-2

    Dear Tim,

    I think you have cracked it!

    The attached log shows just tracking cookies found by SuperAntiSpyware but the registry fix seems to have been the critical step.

    I have run Spybot and SuperAntiSpyware again, after rebooting and whilst connected to the internet, and they both say the system is clean.

    Is there a final cleanup procedure I should now follow?

    Also, looking around the MajorGeeks website, you have compiled a fantastic range of tools and I was wondering if there is a tool I can use to make that 'Stupid' exe visible as I can't help wondering if it still lurks on the system?

    Many, many thanks for your help.
     
    dobs, Feb 19, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    GetUnKeys

    This will give you the hidden uninstall list.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Feb 19, 2007
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds