Various Virus/Malware

Welcome to Majorgeeks!

You have a bunch of problems (as you will see based upon the length of the steps below). One of them is a Virtumonde infection.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Firewall service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

FWSvc

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\1961023a.exe
C:\windows\system32\_zskwrkni05`l^_hbgwylxkpgtd.exe
C:\WINDOWS\system32\winlog.exe
C:\dfndrc_2.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_2.exe
O4 - HKLM\..\Run: [w164e52c.dll] RUNDLL32.EXE w164e52c.dll,I2 0015bd3b0164e52c
O4 - HKLM\..\Run: [1961023a.exe] C:\WINDOWS\system32\1961023a.exe
O4 - HKLM\..\Run: [chkdsk] C:\WINDOWS\System32\chunk0.exe
O4 - HKLM\..\RunServices: [ÿ_zskYS^VZ`HDR]] C:\WINDOWS\System32\_zskwrkni05RZJVN\]RDH`ZV^SY.exe
O4 - HKLM\..\RunServices: [ÿ_zskdtgpkxlywgbh_^l`50inkrwksz_] c:\windows\system32\_zskwrkni05`l^_hbgwylxkpgtd.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [1961023a.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\1961023a.exe
O4 - HKCU\..\Run: [ÿ_zskdtgpkxlywgbh_^l`50inkrwksz_] c:\windows\system32\_zskwrkni05`l^_hbgwylxkpgtd.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/winantivirus.com/main/pages/scanner/files/WinAntiVirusPro2006ScannerInstall.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\cnlbact.dll (file missing)
O21 - SSODL: UPnPMonitor - {945D7B4B-6E68-EF6B-9924-46296979F301} - (no file)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: WuTCOb - {3C600FA0-96CA-A50A-0EAC-114067C60AA2} - C:\WINDOWS\System32\qeqqw.dll


After clicking Fix, exit HJT.

Now please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Wait a minute and turn your PC back on but make sure you boot into Safe Mode.
• Please attach the log from VundoFix (C:\vundofix.txt). later after you complete the below steps.

After Booting into safe mode and use Windows Explorer to delete the below if found:
C:\Program Files\outlook <--- the whole folder
C:\Program Files\WinAntiVirus Pro 2006 <--- the whole folder
C:\dfndrc_2.exe
C:\kybrdc_2.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\1961023a.exe
C:\WINDOWS\system32\1961023a.exe
C:\WINDOWS\System32\chunk0.exe
C:\WINDOWS\System32\qeqqw.dll
C:\WINDOWS\system32\w164e52c.dll
C:\WINDOWS\system32\winlog.exe
C:\windows\system32\_zskwrkni05`l^_hbgwylxkpgtd.exe
C:\WINDOWS\System32\_zskwrkni05RZJVN\]RDH`ZV^SY.exe
C:\WINDOWS\comdlg66.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post the two logs:

1) the log from VundoFix (C:\vundofix.txt).

2) a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Let's only work one user account at a time to avoid any confusion as to what we are working on.

In your last HJT log the below still exists:


O4 - HKLM\..\RunServices: [ÿ_zskYS^VZ`HDR]] C:\WINDOWS\System32\_zskwrkni05RZJVN\]RDH`ZV^SY.exe


You need to fix this line and then try to locate all strange folders or filenames like this and delete them. This is actually a folder and a file. You may need to delete them in safe mode.

Then reboot into normal mode and attach a new HJT log.

Now continue on to the below.

Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

 

Are you sure about that??? It is still in your system!

Your ProcessExplorer log looks like it was from safe mode. There was very little running.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot into safe mode and make sure viewing of hidden and system files is enable. The use Windows Explorer to look in you c:\windows\system32 folder. Look for any files that begin with dcom_ and end with .dll

For example:
dcom_14.dll
dcom_25.dll

If you find any, right click on each one (one at a time) and select Rename. Then rename the files to have a .DDD extension.
For example:
dcom_14.DDD
dcom_25.DDD

Remember what you find and rename and tell me later. DO NOT rename DCOMCNFG.EXE it is not a match to what I'm saying and it is a valid file.

Then reboot into normal mode and run the below!

Now run the below procedure and attach the newfiles.txt log.

Using ShowNew

Then also attach a new HJT log.

 

Did you recently (around June 23) try installing IE 7 beta?


Download and Install Registrar Lite (Make sure you select a download link from Majorgeeks and not the Author's)

Copy and paste the below into the bar of Registrar Lite and take ownership of it:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices

To take ownership of teh key do the following:
Click-on the above Registry Key
Click-on Security in the top Menu
Select Take Ownership

Now try to locate the below subkey that is under the above key and select it and right click on it and select Delete

_zskYS^VZ`HDR

You may have to check around to locate this key because the text seen above in my message may or may not match what is in the registry itself.

Then in the top menu of Registrar Lite, click View and Refesh. Check to see if the key was actually deleted. Let me know. Also if you get any error messages while doing these steps, tell me exactly when you get the error and exactly what it says.

After deleting the registry key, exit Registrar Lite and attach a new HJT log (but only if it actually worked).

Let me know if you had any problems following this procedure.


You also need to locate and delete the below two files:
C:\WINDOWS\chk.exe
C:\WINDOWS\SYSTEM32\w007d58d.dll