Virtum-Gen and BHO

Discussion in 'Malware Help (A Specialist Will Reply)' started by Keep, Jan 27, 2008.

  1. Keep

    Keep Private E-2

    Hello Helpers!

    Sophos is picking up 3 different infections which it will not remove. These infections include Troj/Virtum-Gen, Troj/BHO-EL, and Virtumundo. My computer is being seriously slowed down. When ever I click on Mozilla a Sophos pop-up saying that it has detected fccyvwt.dll which belongs to Virtum-Gen, sometimes sophos will keep detecting this and the counter on Sophos goes up to 1000. This infection has also started to make my laptop fan make a much louder noise than usual however I can not prove that the two are related. I have read the "Read Me" post and followed its instructions. The only thing I found was "Search Assist" with a space between the two words and was not sure if that was the same malware as "SearchAssist" listed on the "Read Me" post. I was unclear about the "Read Me" post instructions about posting a Hijackthis log but I will post it as an attachment. Thank you for your time!
     

    Attached Files:

    Keep, Jan 27, 2008
    #1
  2. Keep

    Keep Private E-2

    After reading the FAQ's more carefully here is my updated information.
     

    Attached Files:

    Keep, Jan 27, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What is the below for?
    O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {07357E28-576F-4059-81FF-53251A5AC084} - C:\WINDOWS\system32\cewmd.dll
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\fccyvwt.dll
    O4 - HKLM\..\Run: [f4754e37] rundll32.exe "C:\WINDOWS\system32\hptklhgg.dll",b
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - Winlogon Notify: fccyvwt - C:\WINDOWS\SYSTEM32\fccyvwt.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    Now run Ccleaner!
    Now use MSconfig to put your system into Normal Startup as was originally requested in the READ & RUN ME. You must remain in Normal Startup mode.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Jan 28, 2008
    #3
  4. Keep

    Keep Private E-2

    Hello helper! Sorry for the delayed response school is keeping me busy.

    I have followed your instructions and I am no longer getting the repeated fccyvwt.dll messege!! I am however getting a cewmd.dll which belongs to Troj/BHO-EL when ever I click on "My Computer" my pc's fan is still making a strange noise and there does seem to be a large lag time between when I click on Mozilla and when it opens.


    Thank you so so so much for all your help so far, It really means a lot that you would take time out of your day to help someone you have never met!

    Here are the log files you have asked for...

    P.S. What is the below for?
    O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe

    It was a program I needed for school but no longer need.
     

    Attached Files:

    Keep, Jan 29, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then uninstall the Impulse software if you no longer need it. No sense running things you don't need.



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {07357E28-576F-4059-81FF-53251A5AC084} - C:\WINDOWS\system32\cewmd.dll
    I the below still remains, fix it too.
    O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Jan 30, 2008
    #5
  6. Keep

    Keep Private E-2

    cewmd.dll still shows up even after I delete it. Whenever I click on a folder it pops up. It keeps cloning itself or something. Also pmorbkld.dll.vir popped up on sophos yesterday but has not been back.

    Here are the logs
     

    Attached Files:

    Keep, Jan 30, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It did not delete and that is why it is still popping up.

    Not a problem. This is what we already deleted awhile back and it is in the quarantine folders.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {07357E28-576F-4059-81FF-53251A5AC084} - C:\WINDOWS\system32\cewmd.dll


    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
cewmd
 
File::
C:\WINDOWS\system32\cewmd.dll
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07357E28-576F-4059-81FF-53251A5AC084}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 31, 2008
    chaslang, Jan 31, 2008
    #7
  8. Keep

    Keep Private E-2

    that file does not seem to be popping up now but im still skeptical since things seem to be running slow but who knows. Here are the logs.
     

    Attached Files:

    Keep, Jan 31, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it still did not quite get fixed. Let's make sure that nothing is interferring with our fix.

    First uninstall AVG Antispyware.
    Now shut down your Sophos Antispyware protection and then continue on with the below.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {07357E28-576F-4059-81FF-53251A5AC084} - C:\WINDOWS\system32\cewmd.dll

    After clicking Fix, exit HJT.

    Tell me if you receive any error message while doing the above with HijackThis.


    Now download the current version of combofix.exe to your Desktop thus overwriting your previous version. It must be saved to your Desktop. Do not run it! Just save it to your Desktop.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
cewmd 
 
File::
C:\WINDOWS\system32\cewmd.dll
C:\WINDOWS\system32\pmorbkld.dll.vir
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\tttss.bak1
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07357E28-576F-4059-81FF-53251A5AC084}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point,YOU MUST EXIT ALL BROWSERS NOW before continuing! If you don't do this the fix may not work.
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now download the new version of MGtools.exe and save it to the root folder of drive C. You should have C:\MGtools.exe when finished. Yes you will be overwriting the previous version saved there.

    Now run the C:\MGtools.exe file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 1, 2008
    #9
  10. Keep

    Keep Private E-2

    things seem to be running smoother. Here are the logs
     

    Attached Files:

    Keep, Feb 3, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that C:\WINDOWS\system32\cewmd.dll file still refuses to be deleted. If you goto the C:\WINDOWS\system32 folder using Windows Explorer, can you see the cewmd.dll file. If so, what file date and time do you see on it. Also how large it the file. Right click on the file and select Properties, and then check the Version tab to see who this file belongs to. (The Version tab may not exist. Just tell me if it does not.) Also see if you can put a copy of this file into a ZIP file and attach it here.

    The new version of MGtools found a few other bad files hanging around so let's repeat another fix anyway to get them removed. I expect that the cewmd.dll file and BHO will still not get fixed.

    What are the below 2 huge files on your Desktop? They are wasting over 4 Gigabyte of diskspace. If you need these, you should store them somewhere else as the Desktop is not a safe storage place and file like this could be confused with malware and may be deleted.
    Code:
    "C:\Documents and Settings\Neal\Desktop\"
data3.cab     Jan  3 2008  2087955383  "data3.cab"
swg14d~1.exe  Jan  4 2008  2097242215  "SWG14DayTrial.exe"

    Now shut down your Sophos Antispyware protection and then continue on with the below.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {07357E28-576F-4059-81FF-53251A5AC084} - C:\WINDOWS\system32\cewmd.dll

    After clicking Fix, exit HJT.

    **** Make sure you tell me if you receive any error message while doing the above with HijackThis!!!!! ****
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
cewmd
aadvlvjg
pgvlisji
BD2040
nvModes
 
File::
C:\WINDOWS\system32\cewmd.dll
C:\WINDOWS\system32\drivers\pgvlisji.dat
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\BD2040.DAT
C:\WINDOWS\system32\nvModes.dat
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07357E28-576F-4059-81FF-53251A5AC084}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1989275-de10-11db-98fb-0016cffbe054}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point,YOU MUST EXIT ALL BROWSERS NOW before continuing! If you don't do this the fix may not work.
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 4, 2008
    #11
  12. Keep

    Keep Private E-2

    So there was no "version" tab and 10.18.2006 Was when that file was created. Those two large files on my desk top are for a Computer Game.

    Thank you for the continued help!
     

    Attached Files:

    Keep, Feb 7, 2008
    #12
  13. Keep

    Keep Private E-2

    Also here is the cewmd file compressed.
     

    Attached Files:

    Keep, Feb 7, 2008
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes there is! According to the ZIP file you attached. This is a Microsoft file with the below information:

    Description: Windows CE WMDM Service Provider
    File Version: 11.0.5721.5145
    Product Name: Windows Media Device Manager

    I don't have that version list anywhere on any of my systems but it could be that it installs with Windows Media Player 11 which I have not installed anywhere since I have no need for it and I don't like alot of the baggage that comes along with it.

    Thus this BHO (Browser Helper Object) is not a problem.

    Are you currently having any other problems from malware? Your logs appear to be clean.
     
    chaslang, Feb 9, 2008
    #14
  15. Keep

    Keep Private E-2

    Stuff is diffidently not 100% My system still seems slow and I think my CPU is not running at full speed. Now I get sophos warnings about qcfjdp.dat which belongs to Boaxxe-c. Btins.dll is showing us as Sus/Behav.
     
    Keep, Feb 14, 2008
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Probably not due to malware. What is your CPU usage showing in Task Manager? Are any processes hogging CPU time?

    Now I get sophos warnings about qcfjdp.dat which belongs to Boaxxe-c. Btins.dll is showing us as Sus/Behav.[/quote]Where was qcfjdp.dat found?

    Btins.dll is for your BlueTooth.


    Let's check for rootkits just to be on the safe side. Please run the below and attach the log:

    Using Sophos Anti-Rootkit
     
    chaslang, Feb 16, 2008
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds