Trying to remove Virtumonde & Zlob

My computer became infected w/ these a couple of days ago. I came here and followed the instructions in the "Special Removal Procedures - SmitFraud,Virtumonde,Qoologic,SpyAxe,Look2ME,Zlob" sticky. I used the smitfraudfix and the vundofix. I noticed a big difference after the smitfraudfix. However, Vundofix said it didn't find anything. I then went to the Windows XP cleaning procedure for the malware removal guide. I did everything on there, so I guess the next step is to attach my logs for you guys to check. Thanks!

 

Here is the other log.

 

Hi ashleys8888,
Welcome to Major Geeks!

You've still got some serious malware, but the work you did helped a lot. Please do the following:


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {FECCAD6A-C1AD-44B0-B6B8-3F6B64BFF5C4} - (no file)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll


After you click fix, just close hijackthis.


3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Everything seems to be running fine, but I'll let you be the judge. Here are the 2 logs. Thanks so much for your help.

 

Hi ashleys8888,

It's better, but there are still a couple of stubborn files.

1) Please follow the instructions at Using SDFix and attach the log when you're through.

2) After you complete the above, please rename this file by adding zzz to the end:

C:\WINDOWS\system32\drivers\bgL38.sys ------> bgL38.sys.zzz

3) Run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the SDFix log.

How are things going now?

abri

 

I was able to do steps 1 and 3, but unable to rename the file in step 2. When I tried it said "Cannot rename bgL38: Access is denied. Make sure disk is not full or write-protected and that the file is not currently in use."

 

Hi ashleys8888,

Please do the following:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
[B]bgL38[/B]

FILE::
[B]C:\WINDOWS\system32\drivers\bgL38.sys[/B]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

When you finish, run CCleaner.

Then double click on the Combofix.txt or cf.txt file under C:\ and see if that file got deleted. I'd like to see it as well, so please attach it with your next post.

Thanks.
abri


abri

 

Here you go. Let me know if it worked, I can't tell by reading the log myself, too much of a novice!

 

Hi ashleys8888,

These creatures are tough. I'm wondering if there might be a rootkit that's causing them to come back. I will first ask you to run two rootkit scans and then we'll do another removal procedure and see if there might be something behind them.

Please go to
Alternate Scans and scroll about halfway down the page. In the list of rootkit scans, choose the AVG Anti-Rootkit scan and the Rootkit Hook Analyzer. After running both of these, please do the following:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

[B] KILLALL::

DRIVER::
bgL38
flQ62

FILE::
C:\WINDOWS\system32\drivers\bgL38.sys
C:\WINDOWS\system32\drivers\flQ62.sys
C:\WINDOWS\system32\WinCtrl32.dll

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgL38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\flQ62.sys][/B]

[B][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-[/B]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

When you finish, run CCleaner.

Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the logs from AVG Anti-Rootkit, RootkitHook Analyzer and from Combofix.txt (might be cf.txt)

Thanks.
abri

 

I've been trying to load the page with the download for the AVG Anti-Rootkit but it keeps coming up blank. Is it just my computer? The Rootkit Hook Analyzer page w/ the download for it comes up fine though. What should I do?

 

Hi ashleys8888,

Sorry, I forgot AVG incorporated it into their new security suite. It's probably not supported as a standalone tool anymore. Please try this one instead: Running GMER to detect rootkits

abri

 

Need to add one more note:

The following file is not in the Combofix files that need to be deleted. If you haven't run those instructions yet, please add it together with the other Files under the word FILE::

C:\WINDOWS\system32\WinCtrl32.dl_

If you already ran those instructions, don't worry about it. I will be able to see if it's still there in your combofix log when you post it.

Thanks.
abri

 

I haven't been able to export the results from the Rootkit Hook Analyzer to a text file. When I try I get a box that says "Access violation at address 0049550C in module 'hookAnalyzer.exe'. Read of address 00000360." So I click the only option in the box, which is "OK". Than when I open the file I just saved it is empty.
In the results though in red it shows 1 kernel hook found.
Under Service Name it says NtTerminateProcess, ZwTerminateProcess
Under Syscall it says 257
Address says 0xAAE26F20
Hooked says YES
Module says SASKUTIL.sys

Whether or not all that is something you need, I don't know, but thought I would add it since I couldn't provide the text file.

 

Hi ashleys8888,

That looks better. I have a few cleanup steps for you which will make your computer less vulnerable and get out all the tools and logs we had you put on your computer, and also set a clean restore point. Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) - (you may be asked to install the current version when it's needed - just say yes)


After you click fix, just close hijackthis.


2) Now I will give you a set of final cleanup instructions in the box below. If you want to keep HijackThis and the backups, use the alternate instructions at the bottom of the box before you delete the MGTools.

abri