Virtumonde/malware/altevents

Hi,

I have followed all the procedures outlined and I am just not able to get rid of this. Every time I run Ad-Aware (I have done in both normal and safe modes) I still have thse four critical objects show up). Any ideas?

Thanks.


Vendor:Virtumonde
Category:Malware
Object Type:Regkey
Size:18 Bytes
Location:atlevents.atlevents.1\
Last Activity:12-1-2004
Risk Level:Low
TAC index:10
Comment:
Description:No uninstaller. Bundled install that is undisclosed. May cause system instability. Auto updates. Opens unsolicited websites.

 

Take a peek here. It may help
http://forums.majorgeeks.com/showthread.php?t=47756

 

OK....I ran hijack this and here is my logfile. Any suggestion? Thanks in advance.

 

normally we request logs. Did you try the symantec virtumundo removal tool ?

did you try that alternate scans at the bottom of this tutorial?
READ ME FIRST: Basic Spyware, Trojan And Virus Removal

 

Yes, I have run the Symantec Vundo tool. I have not run the alternate scans since IE is extremely SLOW on that machine which is infected and I cannot use Mozilla to run the tools since those sites do not support Mozilla. I know the problem is being caused by tht dlldvd.exe. Can I just have Hijack This fix that?

 

no, HJT will not fix this becuase it mutates. It's only used for us to see what's there and what's not.

The alternate scans at the bottom inclue a-squared (a²) Personal Edition 1.1 (requires free registration)


Did do the scans for all profiles on your computer?

clear everything in this directory

C:\Documents and Settings\[YOUR PROFILE NAME]\Local Settings\Temp

 

I did the a2 scan and it found three malware files and deleted them. I rebooted and still have the problem. The sympton is that the dlldvd.exe file keeps growing in memory and it is not possible to kill.

I got rid of everything in the temp folder but there is afile called PMshare that I could not get rid of.

 

the dlldvd.exe is part of virtumundo too I believe. We may have to move to using process explorer

Download it here
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

it's similar to task manager but much more powerful. You should be able to kill the files that are eating up memory and delete them.

These are the ones I'm watching right here.
C:\WINDOWS\addins\apdisk.exe
C:\WINDOWS\inf\mainkey.exe
C:\WINDOWS\AppPatch\dlldvd.exe rerun

see if you can terminate them and delete them. Try from safe mode too.

 

OK...so good news and bad news. I am not quite sure what I did (BTW, everything that I picked up from this site...I am just not sure of the sequence in which I did Ad-Aware, Spybot, CCleaner, McAfee AVERT etc... in normal and safe modes and in varying combinations!) but I am now able to kill the dlldvd.exe process after normal boot. The bad news is that it still comes up in normal boot. Any suggestions? BTW, Thanks for your help thus far. Thanks to the site also.

 

Hi Test225,

I don't want to step on Kodo's toes here, but please attach a Fresh HJT log so we can get an up-to-date look.

PP

 

Here you go...

EDIT: PP

 

Test225,

Please download this tool. You will need to run it ONLY IF you lose your Internet Connection after fixing the 010 entry in HJT. I doubt you will need to use this. http://www.cexx.org/lspfix.zip


I recommend that you look in Add or Remove Programs and Uninstall Viewpoint and Clock Sync and then FIX the HJT entries as noted below.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - (no file)

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [*apdisk] C:\WINDOWS\addins\apdisk.exe

O4 - HKLM\..\Run: [*mainkey] C:\WINDOWS\inf\mainkey.exe

O4 - HKLM\..\Run: [*dlldvd] C:\WINDOWS\AppPatch\dlldvd.exe

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to and DELETE the following if they remain:

C:\WINDOWS\AppPatch\dlldvd.exe
C:\WINDOWS\addins\apdisk.exe
C:\WINDOWS\inf\mainkey.exe
C:\Program Files\Viewpoint ---> Folder
C:\Program Files\Clock Sync ---> Folder

Reboot to Normal Windows and Scan with HijackThis and attach that log using the "Manage Attachments" tool when you post.

Kodo will likely check back to have the final word.

Best luck
PP

 

PhilliePhan and Kodo,

That fixed it. I was unable to delete the 10 entry using Hijack This ( broken internet) but the main problem is gone and I have the PC back. BTW, I use Mozilla all the time personally, but there are certain applications at work that only work with IE. I have never really liked MS but I did not despise them as many people I know do. I now understand why so many people hate them with such passion.

Thanks for you help. The log is attached.