Virtumonde, I think

First of all, I'd like to say that I greatly appreciate the fact that people are going out of their way to help folks in trouble like myself. Thanks a heap.

As for my problem, I think I have a Virtumonde infection. Spybot S&D and such find it and delete it, but then it comes back later. Specific fixes like VundoFix.exe don't find anything. Besides from popups and weird .dll's, more often than not when I boot I get some Data Execution Prevention message about Windows Explorer, and then an error message about how Explorer had encountered a problem and needs to close. Explorer then closes, only to start again almost immediately. This doesn't always happen though. Sometimes when I boot the computer does one of those disk consistency scans (I'm not sure why). When that happens, no Data Execution Prevention message comes up later, whether I go through with the scan or cancel it.

Windows also tells me via little icons on the bottom right that automatic updates are not turned on, even when they are. I don't know if that's part of the problem.

Once again, thanks in advance for any help you can give me.

 

Here's the MGtools logs.

 

Hi etsun,

Please do the following:


1) Please disable your guest account if this hasn't already been done.

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 3

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3F194E4D-77F5-4120-91D8-9237187EB53B} - C:\WINDOWS\system32\vtUomnNd.dll (file missing)
O2 - BHO: (no name) - {6B6ABC9E-3448-417E-AD5E-B4C5610DA475} - C:\WINDOWS\system32\nnnoMghi.dll (file missing)
O2 - BHO: (no name) - {A7FED8D3-4D97-4B1E-A5D3-8D051385EEF6} - C:\WINDOWS\system32\ssqPhEUK.dll (file missing)
O2 - BHO: (no name) - {C0DAE33E-81CB-4EC0-AD73-911CF0983F13} - C:\WINDOWS\system32\yayvWpqO.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O20 - Winlogon Notify: jkdgvecg - C:\WINDOWS\


After you click fix, just close hijackthis.


7) Download and install Erunt. Use it to create a backup of your registry.


8) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

9) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Now run CCleaner at the default setting with the Windows tab as the top one.

11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi, thanks for the assist

Unfortunately, it seems that I still get weird popups, and I think I may still have problems. I have attached the two sets of logs.

 

Update: Things have gotten worse, so to speak.

Every time I start up now, I get two error messages, one after the other, both saying

"userinit.exe – Application Error

The application failed to intialise properly (0xc0000005). Click OK to terminate the application"

Explorer fails to start or something. I just get by desktop background, but with nothing on it. No icons, no taskbar, nothing. Nothing except the mouse pointer, which I can freely move around, but that doesn't do much good.

This happens when I boot in safe mode as well. I am very distressed, especially since that computer is rather important, to say the least. I will be extremely grateful for any kind of support.

 

Hi etsun,

Sorry for the problems you're having. Your computer is badly infected. Please use it only for the procedures we are doing to get rid of the viruses and hold off on any other activities. Also, try not to reboot anymore than necessary as new malware files are created with each reboot.

I'll post the next instructions to you shortly.

abri

 

Hi etsun,

Here is what I would like for you to do next:


1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {326A51B0-7E24-40B8-9CB7-45EF58E97783} - C:\WINDOWS\system32\nnnKCSKd.dll
O4 - HKLM\..\Run: [bcd0f5e3] rundll32.exe "C:\WINDOWS\system32\kkfwwiot.dll",b
O20 - Winlogon Notify: sqaonpyx - C:\WINDOWS\SYSTEM32\sqaonpyx.dll
O20 - Winlogon Notify: __c00AE7BF - C:\WINDOWS\SYSTEM32\__c00AE7BF.dat
O20 - Winlogon Notify: __c00BC551 - C:\WINDOWS\SYSTEM32\__c00BC551.dat


After you click fix, just close hijackthis.


2) Run Erunt to create a backup of your registry.


3) Then copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

4) Now runThe Avenger by Swandog46

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the [/b]Avenger log[/b].


Let me know how things are running now?

abri

 

Hi abri, thanks again.

I don't seem to be getting popups anymore, but I haven't tested that extensively. However, when I was running MGtools, I got a quite a few error messages that did not seem to do anything. I list them here.

cmd.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application

find.exe – Application Error
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application

Attrib.exe - Application Error
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application

ProcessDll.exe - Application Error
The application failed to initialize properly (0xc0000135). Click on OK to terminate the application

These came in droves, but MGtools went on running anyway when I closed them. Also, I think nnnKCSKd.dll is still floating around.

In any case, I have attached the two sets of logs.

 

Hi etsun,

Your tools ran okay. Sometimes something happens during the fixes and they have to be reinstalled, but I got your logs okay. You still have some malware and I think it's because I didn't get the appinit key fixed. Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00EBBE3.dat


After you click fix, just close hijackthis.


2) Run Erunt to create a backup of your registry.


3) Then copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

4) Now runThe Avenger by Swandog46

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the [/b]Avenger log[/b].


Let me know how things are running now?

abri

 

Things seem to be more or less OK now. You are truly amazing.

...however, I have attached the logs anyway.

Thank you once again. You have saved me a lot of grief.

 

Hi etsun,

It's still there, but we are getting closer to defeating it. Please do the following. Some of these are just steps that will make your computer less vulnerable.

1) Please disable your guest account if this hasn't already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Please copy or print out the rest of the instructions, because I want you to physically unplug your computer from the internet before doing the following instructions. After you unplug it, I want you to disable all your antivirus and antispyware programs and your firewall. Sometimes these prevent a change from taking place that we want to achieve. When you've done this, please continue.


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00EBBE3.dat

After you click fix, just close hijackthis.



5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\0n.bat
C:\WINDOWS\system32\__c00EBBE3.dat
C:\WINDOWS\system32\vnhfrhyl.ini
C:\WINDOWS\system32\msldnrxo.ini
C:\WINDOWS\system32\woefxvff.dll

LOOK::
C:\WINDOWS\lgcenter.ini
C:\WINDOWS\lgcstuid.ini
C:\WINDOWS\lg_up.ini

DIRLOOK:
C:\Documents and Settings\Ephraim\My Documents\DCI

REGISTRY::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Re-enable all your protection software: antivirus, antispyware and firewall.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

So far so good. I've got the latest batch of logs.

 

Hi etsun,

We're almost there! This step should take care of the last file. I would like to see your MGlogs one more time after this set of instructions and then I think I'll be able to post the final cleanup instructions to you. Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {70480E33-F3CA-4A6B-B0CB-CF5B3EE8C2F2} - C:\WINDOWS\system32\nnnKCSKd.dll (file missing)

After you click fix, just close hijackthis.


2) Use Erunt to create a backup of your registry. It should be located on your desktop.

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip


Let me know how things are running now?

abri

 

Ok, done, with a new set of logs.

 

Hi etsun!
Happy Day! It's all gone!

Please go through the final cleanup instructions which will remove all our tools and logs from your computer and we'll have you set a clean restore point. Be sure to take a few minutes and read through the How to protect yourself from malware where we give our recomendations for how to best cover yourself for the least amount of money and the least resources. It's a good reference.

abri

 

Ah, all done. What an excellent feeling. I have gone through the cleanup instructions without a hitch. Thanks for all your help; you have my gratitude.

 

You're welcome etsun!
Enjoy your computer!