Virtumonde/Virtumundo Problems???

Request assistance (actually begging) to rid computer of Virtumonde/Virtumundo and whatever else is directing all of my browsing to WINFIREWALL purchasing opportunities then crashing IE and all at the same time making the CPU usage run high.

I am running Windows 2000 Professional on a Dell Computer. I had been using IE and have since downloaded and presently using Netscape 7.2.

I have done the checks/scans in the “Read me First Before Asking for Support” tutorial and the following are the results:
1. Started in Safe Mode
2. Ran Trend’s Micro’s Free Online Scan
-Found TrojAgent.pc (non-cleanable), TrojRevop.A, TrojVrtumonde.A (in two files).
-Results: Program deleted 5 infected files
3. Ran Symantec Security Check On-line
-Results: Safe: Hacker Exposure/Windows Vulnerability/Trojan Horse/Virus Protection Update.
At risk: Antivirus Product check: not most current version (I run Norton AV 2002)
4. Ran McAfee AVERT Stinger Ver 2.4.3.0
-Results: Nothing noted
5. Ran CCleaner Ver 1.14.072
-Results: said “cleaned”
6. Ran AdAware SE Ver 1.05 with the VX2 Plug-in
-Results - Quarantined/Removed: Alexa, Eacceleration, Virtumundo (no uninstaller so I assume it’s still there) and Topsearch.
7. Ran SpyBot S&D Ver 1.2
-Results: “No immediate threats”
8. Ran CWShredder Ver 2.00
-Results: Propgram removed files: cws.jksearch and cws.hiddendll
9. Ran Kill2me Ver 1.11
-Results: “Removed Look2Me infection (if present)”
10. Ran AboutBuster Ver 3.0
-Results: Ref List: 15. No ADS found on system. Attempted clean of temp folder pages reset done. (I did 2 scans as recommended with the same results)
11. Ran HS Remove Ver 2.39
-Results: “8 Items removed” (Don’t know what 8 items).

Attempted to run Bitdefender online. Browser hung-up and crashed. Couldn’t download program.

Have since downloaded and installed HiJack This…I’m not very comfortable with using it as well as doing any registry manipulation. I did back-up the “Registry” using the System Tools’ Back-up Wizard – only backing up the System State Data.

Reading other threads in this Forum and from links via Google, I really think that Virtumonde/Virtumundo is the culprit … which perhaps would require some registry editing which I am totally at a loss.

Thank you in advance for your time and patience.

Aloha,
Hulagurl

 

Post your log file.
Hijack This Tutorial And How To Post Your Log File

 

Hi Hulagurl,

It sounds like you have a StopGuard infection. (Symptoms include ads for WinFirewall and StopGuard that can shut down IE) Please attach a HijackThis Log as per the instructions in the link that Kodo gave you.

NOTE that you MUST NOT REBOOT after doing this as the bad files will mutate if you do so.

For more info, please check out these links:
Morphing malware
Could use some help.
urlap.exe

As you can see from the above links, Stopguard can be a pain in the ass, but its pattern is easily recognizable. Send us a HJT log and we'll see if we can get you fixed up

I'll check back when I get a chance - Usually in the wee hours.

Best,
PP

 

Thank you for the prompt response. I have attached the HiJackThis log in text format as requested.

aloha,
hulagurl

 

Hi Hulagurl,

You have a lot of Stopguard related entries. I'll try to post a fix for you late tonight (probably not so late for you - Aloha ) or tomorrow.

Did you note the pattern in the links I posted?

I assume this is legit and wanted:
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab

The same for the Hawaii entries? (proxy server, etc...) I'm just covering all bases.

Best,
PP

 

Aloha PP,

thanks again.

1. Yes, did notice the pattern...still it's too much for me to tackle on my own.
2. No, I don't want the music notes even if it is legit ... a "friend" installed it.
3. I guess the Hawaii stuff is ok ... don't really know so might as well keept it?

hulagurl

p.s. your wee hours just got closer due to daylight savings... we don't "fall back" here since it's always paradise!!

 

I don't need to hear that!

I'm going to grab a bite to eat - I'll post a workthrough in a couple hours. Other than Stopguard, your log looks OK.

PP

 

Hi Hulagurl,

Here's the workthrough I promised. Please follow the instructions carefully. Sometimes StopGuard doesn't like to go quietly. Of course, you may have already surmised this after watching it survive the anti-spyware arsenal you threw at you computer earlier!

Please print out these instructions so that you will be able to operate with All browser windows CLOSED.

Please Enable the Viewing of Hidden Files as per the instructions HERE: How to Show System Files

NOW:
Run HijackThis and Check the Boxes for the Following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe

O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\ELYSEC~1.FAR\LOCALS~1\Temp\lldcod.dat

O2 - BHO: CATLEvents Object - {870B70D4-F6DA-47AE-9158-D146440A0A4D} - C:\DOCUME~1\ELYSEC~1.FAR\LOCALS~1\Temp\siipxe.dat

O4 - HKLM\..\Run: [*docdll] C:\WINNT\assembly\temp\docdll.exe

O4 - HKLM\..\Run: [*rasdisk] C:\WINNT\Registration\rasdisk.exe

O4 - HKLM\..\Run: [*cdns] C:\WINNT\Web\cdns.exe

O4 - HKLM\..\RunOnce: [*drv] C:\WINNT\assembly\drv.exe rerun

O4 - HKLM\..\RunOnce: [*expiis] C:\WINNT\AppPatch\expiis.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\system32\bkinst.exe ren time:1099208023

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINNT\AppPatch\expiis.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.
You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) find and DELETE the following if they remain:

C:\WINNT\system32\bkinst.exe - - -> This is likely the Master .exe
C:\WINNT\AppPatch\expiis.exe
C:\WINNT\assembly\drv.exe

Use Windows Explorer to run a search of your computer for:
bkinst
lldcod
siipxe
docdll
expiis

and DELETE the related files. (We especially want to get rid of siipxe.ini & siipxe.dat and lldcod.ini & lldcod .dat + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D again.

Then, go to C:\Documents and Settings\Administrator\Local Settings\Temp and Delete any files or folders that remain.

Reboot to Normal Windows and Attach a fresh HJT log. Let us know of any problems that you may have encountered with the above instructions. Also, let us know if you find StopGuard remnants hiding in weird places!

Best luck
PP

 

Hi PP:

1. I performed the fix - verbatim.
2. Attached is the HJT log.
3. Notice that the item which HJT was checked to delete still remains but this time it has "(file missing)" - see below.

O2 - BHO: CATLEvents Object - {870B70D4-F6DA-47AE-9158-D146440A0A4D} - C:\DOCUME~1\ELYSEC~1.FAR\LOCALS~1\Temp\siipxe.dat (file missing)

Should I have HJT delete it again?

4. Did not find the files to delete while in Safe Mode - so assume they didn't exist?
C:\WINNT\AppPatch\expiis.exe
C:\WINNT\Assembly\drv.exe

5. Also noted that after I rebooted into Safe Mode, recieved Program Error: "bkinst.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log has been created". I just clicked ok and went on with the instructions.

Standing by for the all clear....

Mahalo,
hulagurl

 

Hi hulagurl,

Go ahead and have HJT fix that BHO.

Also, along the same lines as before, have it delete a file on reboot. This time, try entering C:\WINNT\system32\bkinst.exe and let's see what happens. If you get a message saying that Windows cannot find it, go ahead and reboot again anyway.

Then, Reboot AGAIN and scan with HJT and attach that log and we'll go from there

PP

 

Hi PP:

Use HJT to remove the BHO and rebooted - didn't get an error when rebooted. Then I rebooted again and ran HJT.... the BHO is gone. As far as I can tell there are no other changes from the second time I ran HJT... but please check again. thx.

Mahalo,
hulagurl

 

Hi Hulagurl,

That is a clean log. A little busy, but clean. Good job!

It looks like you got everything. If this turns out not to be the case & Stopguard manages to resurrect itself, just give us a shout! (I'm always a little wary with this bugger!)

Also, take a look at Chaslang's recommendations HERE: How to protect yourself from malware!

You might also consider this FREE tool: BHODemon

Best,
PP

 

Thanks a bunch for all the help....couldn't have done it without your patience and expertise. I'll experiment and surf a bit prior to calling it a day.

I will also take a look at the Malware prevention, I think that I will also keep to using Netscape for the time being.



Mahalo nui loa,
Hulagurl

 

You're welcome. Glad to be able to help

Happy & Safe Surfing (Hawaii Style!)

PP

 

Or should I have said Ke aloha nô me ka mahalo kâua!

PP

 

I currently have 4 still on my list on Hijackthis log, 2 or 3 i cant get rid of and the rest i recognize to an extent. Most have my antivirus program in the name.