Virtumonde- From bad to worse

Discussion in 'Malware Help (A Specialist Will Reply)' started by zigboo, May 28, 2007.

  1. zigboo

    zigboo Private E-2

    Hi Folks,

    I somehow got nailed with Virtumonde two weeks ago and have been fighting with it ever since. Having tried everything I've been able to find on the web (short of attacking things in HJT), I've finally admitted defeat. I noticed some great postings here, so thought I'd ask for some help from the experts at Geeks. I've followed all of the steps in the READ & RUN ME FIRST sticky already, but have managed to end up worse off somehow. That's not a shot at the process, but typical of my last two weeks fighting this thing.

    After finishing step 7 last night, I shut down. When I tried to boot into normal mode today, I am now getting a popup window with a title bar of RUNDLL and the message "Error loading C:\WINDOWS\system32\yekrmujm.dll. The specified file could not be found." When I click the OK button on that box, it pretty much causes the system to either grind to a halt or hang (can't tell which- the mouse moves, but nothing came back after an hour, and I can't get task manager to come up).

    I can still get into safe mode OK, so I'm trying step 5 again in desperate hope it will at least let me boot into normal mode (it's my work laptop, so I'm a little unproductive right now...).

    I've attached all the logs from yesterday's efforts and would greatly appreciate any help with getting back into normal mode, and even better, getting rid of Virtumonde. I was unable to get a log from CounterSpy as it auto-updated on install, and when I run it in Safe Mode, there is no option to view and scan details.

    Thanks,
    Zigboo
     

    Attached Files:

    zigboo, May 28, 2007
    #1
  2. zigboo

    zigboo Private E-2

    And the rest of the logs...

    And I forgot to mention that I followed the additional step for Virtumonde and ran Vundofix, so that log is attached as well.
     

    Attached Files:

    zigboo, May 28, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You did not create the log as requested for BitDefender. As a result all you attach is a log summary which is of no use to us.

    Is the copy of Spy Sweeper you have recently installed a paid version or is it a free trial version? If free, you should uninstall it unless you plan on purchasing it. If paid, you should shut it down before doing any of the below fixes because it could get in the way of the removal process.

    Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Continue by downloading a tool we will need

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    hggfgee.dll
    owcfgpdr.dll
    ddcya.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hggfgee.dll
    owcfgpdr.dll
    ddcya.dll
    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    hggfgee.dll
    owcfgpdr.dll
    ddcya.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {0FAB5A46-AAF5-40CE-BE2E-4588312F82FB} - (no file)
    O2 - BHO: (no name) - {2C8970E4-E775-4456-BCEF-EE4C8A804895} - C:\WINDOWS\system32\hggfgee.dll
    O2 - BHO: (no name) - {30AC2BC3-9B53-445F-ABDD-AA24FADDB348} - (no file)
    O2 - BHO: (no name) - {392AA8F2-48F2-4D86-A56D-360B97F59388} - C:\WINDOWS\system32\geeda.dll (file missing)
    O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\fmqrymvu.dll (file missing)
    O2 - BHO: Buyertools - {7C7A8947-5935-4430-AC0E-E7D04697414E} - C:\APPLIC~1\BUYERT~1\IEBUTT~1.DLL (file missing)
    O2 - BHO: (no name) - {7D4CCA72-D0BB-464C-8E2C-2CBBA4D2FDB6} - (no file)
    O2 - BHO: (no name) - {8B4FAEF9-1407-4EAA-8E85-C2985C6BFDC2} - C:\WINDOWS\system32\pmnlj.dll (file missing)
    O2 - BHO: (no name) - {B608935A-8371-4708-A7BA-8365B995371b} - C:\WINDOWS\system32\owcfgpdr.dll
    O2 - BHO: PsapiAnalyzer Object - {CB8B69CF-31AF-40D0-A119-5A8435BC1534} - c:\windows\system32\3076\siis.dll (file missing)
    O2 - BHO: (no name) - {D1A2A64A-4E1B-4782-94A2-45DB0CF1FA4a} - C:\WINDOWS\system32\owcfgpdr.dll
    O2 - BHO: (no name) - {D30D08DF-7163-44C0-B71B-BD3346EC06DD} - (no file)
    O2 - BHO: (no name) - {E86CBBFB-8802-4983-AEB6-C64B385E156A} - C:\WINDOWS\system32\ddcya.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\yekrmujm.dll",realset
    O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll
    O20 - Winlogon Notify: hggfgee - C:\WINDOWS\SYSTEM32\hggfgee.dll
    O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing)
    O20 - Winlogon Notify: winxkn32 - winxkn32.dll (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 28, 2007
    #3
  4. zigboo

    zigboo Private E-2

    Hi Chaslang,

    Thanks so much for your response and help. My apologies on the incorrect log from BD- not sure where I went wrong, but I'll endeavour to be more careful going forward. Here's an update based on your directions:

    The Spysweeper I had installed was a trial version, but it was un-installed as part of the READ & RUN Step 3 before my original post. On to your steps...

    1) CounterSpy
    Uninstalled successfully (and removed all of its own directories)

    2) Process Explorer
    When I ran it, I got the following message: The version of dbghelp.dll configured does not support the Microsoft Symbol Server. Please download and install the Microsoft Debugging Tools for Windows to get a version that does. I clicked OK and the app seemed to open up no problem, so I proceeded as instructed, finding and killing the following:

    In winlogon-
    2 x hggfgee.dll
    3 x ddcya.dll

    In explorer.exe-
    1 x hggfgee.dll
    4 x ddcya.dll

    In iexplorer-
    Nothing

    3) HijackThis
    Ran the scan, then closed the browser, then fixed everything except the following entry as it did not appear in the list:
    O2 - BHO: (no name) - {E86CBBFB-8802-4983-AEB6-C64B385E156A} - C:\WINDOWS\system32\ddcya.dll

    4) REGEDIT4
    Registry entries were successfully added.

    5) The Avenger
    Seemed to run OK, but I saw messages of "file not found" flash by as it did. Reboot work fine. Log attached.

    6) Ccleaner
    Ran fine after reboot.

    7) Logs
    I ran GetRunKey, ShowNew and HJT in that order, after Ccleaner. Logs attached.

    I did notice on a quick scan of the HJT log that there is still an instance of DDCYA.DLL showing, but not sure if that's relevant.

    Status at this point:
    Having gone through all these steps, the machine now boots into normal mode no problem, and the RUNDLL pop-up is gone. I haven't done any heavy browsing, but have left a few browsers open for a couple of hours now, periodically clicking to a different site now and then, and have not had any pop-ups appear (I was getting lots of Anti Spyware pop-ups originally). I'm not sure if the whole system is clean or not (given the instance of DDCYA.DLL), but for the last few hours, I seem to at least be symptom free if not cured, which is fantastic. Thanks!

    If you think I still have some cleaning to do, please let me know, but again, thanks for your efforts already as I am up and running at least, and able to get work done.

    Thanks & Cheers,
    Zigboo
     

    Attached Files:

    zigboo, May 29, 2007
    #4
  5. zigboo

    zigboo Private E-2

    And the HJT log...
     

    Attached Files:

    zigboo, May 29, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Spy Sweeper did not uninstall completely. We will fix that along with a couple other items below.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {66DB5A7D-9DD8-4636-AA14-D484F42B9257} - C:\WINDOWS\system32\ddcya.dll (file missing)
    O4 - HKCU\..\Run: [SpySweeper] "C:\Applications\Utilities\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Spy Sweeper.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete the below if found:
    C:\Program Files\Common Files\Webroot Shared <--- the whole folder
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Spy Sweeper.lnk.disabled
    C:\WINDOWS\system32\aycdd.bak2

    Now run Ccleaner

    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    Last edited: May 29, 2007
    chaslang, May 29, 2007
    #6
  7. zigboo

    zigboo Private E-2

    Hi Chasling,

    I've run through the steps as described...

    1) HijackThis
    All listed items identified and fixed.

    2) Safe Mode Deletes
    Webroot Shared- found and deleted
    Spy Sweeper.lnk.disabled- found and deleted
    aycdd.bak2- not found

    I did a full drive search on *aycdd* and found two hits, both in the Avenger directory, but did not delete them:
    aycdd.bak1
    aycdd.ini

    3) Ccleaner
    Ran cleanly

    4) Reboot to Normal Mode
    ShowNew and HJT ran cleanly. Logs attached.

    Current Status
    The system is still running strong and showing no visible signs of infection. No pop-ups or booting issues. It even seems to load slightly faster than before the issues started.

    Thanks,
    Zigboo
     

    Attached Files:

    zigboo, May 29, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You cannot use Windows Search unless properly configured. You must use Windows Explorer. That is what step 2 of the READ ME was all about! The below file is still on your PC. Run Windows Explore and navigate to the file and delete it.
    C:\WINDOWS\system32\aycdd.bak2


    Your logs are clean other than the above.
    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 29, 2007
    #8
  9. zigboo

    zigboo Private E-2

    Chaslang, thanks a million. I really appreciate all your time and effort on this- cleaning all this up has saved me countless days rebuilding my machine from a stock corporate image. Very much appreciated!

    Per your last note, I did screw up step 2 and left the system files hidden. I corrected that and have removed the aycdd.bak2 file. I've also read through the "How to protect yourself" link and will follow up on that with this laptop and all my home PCs tomorrow.

    You and the rest of the Geeks are a fantastic outfit!

    Thanks again,
    Zigboo
     
    zigboo, May 30, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, May 30, 2007
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds