Virtumonde

I ran the Malware Removal Procedure. The files you suggested we upload are attached to this and the next post.

 

Here are the rest.

 

And you might want to see this one as well.

 

Sorry, I originally did the HijackThis procedure wrong. I forgot to rename the exe "analyse.exe". I re-ran the test, following the instructions and here is the correct log.

I apologize for the mistake.

 

Greetings Robot Porter!
Welcome to Majorgeeks!

Please go to add/remove programs and uninstall the following programs:
- Viewpoint Media Player
- Sunbelt Counterspy <------ we are finished with this now.

Then, please rename hijackthis.exe to analyse.exe and rerun it. You don't have to rename the log file which is hijackthis.log. Only the hijackthis.exe file. The reason we do this is because there are certain infections which evade detection if they recognize the program running.
Thanks.
abri

 

I've removed those two programs. Here's the new HJT log.

 

oops, sorry, just saw your corrected hijackthis

 

That's okay. Ran a new one anyway.

 

Hi Robot Porter,
Please do the following>


1) Download

- Process Explorer


Extract it to a folder somewhere that you will be able to locate it later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of awvvv.dllonce and then click the kill button. After you have killed all of the awvvv.dllunder winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
awvvv.dll
Next double click on explorer.exe and again click once on each instance of awvvv.dlland kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
awvvv.dll

Now just exit Process Explorer.

2) Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {88EF1D0B-1320-4475-B0C9-FBA05955CBD5} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: {bc6b400c-b915-e829-b8f4-e4f5c4f4224e} - {e4224f4c-5f4e-4f8b-928e-519bc004b6cb} - C:\WINDOWS\system32\inoqtnaa.dll (file missing)
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

After clicking Fix, exit HJT.

3) Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

4) Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt


5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Okay, so I had to run this process twice because I didn't quite follow your instruction regarding Process Explorer because they were a bit jumbled on the page.

But as I understand it, you wanted me to double click on "winlogon," click the threads tab, then kill all instances of "awvvv.dll" I found there.

Then repeat this for explorer.exe, looking for the same file.

This is what I did the second time. I found no instances of this file in "winlogon" but several in "explorer.exe" and killed them.

I then repeated all the procedures. Therefore, the Avenger.txt has some errors, which it didn't the first time through.

Logs attached.

 

Here's the HJT log. There still appear to be several bad entries.

 

Hi Robot Porter,
You got the instructions right, but I left out one instance, so I would like to repeat the instructions for process explorer, hopefully not garbled this time. There is a stubborn file there. Some of the files are mutating, so we have to get them all to prevent them coming back when you shut down and log on again.


1) Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer again.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
awvvv.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
awvvv.dll


After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
awvvv.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

2) Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {45D3B7D8-0EE3-4619-BC26-63D367AF5F65} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\hgghgde.dll (file missing)
After clicking Fix, exit HJT.


3) Now

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Now run ATF Cleaner as per the instructions in post number 9

5) Now attach the below new logs and tell me how the above steps went and how your computer is doing.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

abri

 

I swear I posted this earlier. But it's not here. So I'm doing it again. Looks like there's still a suspicious entry or two.

 

I think that got it.

 

That file awvv.dll is now showing up in a "file missing" entry.

I think I know what I do from here. I fix that entry, reboot, then check HJT again to make sure it's gone.

Is that correct?

 

Sorry, here's the new HJT log. Forgot to attach this to last post. I'm in New York City. It's very late here.

 

Hi Robot Porter,
yes, the hijack this entry is the one. Try fixing it and see if it's gone. You also need to rerun ATF Cleaner again as I think something keeps trying to hide in your temp files. There's also one file under Windows that I don't like. Please do the following:
Rename C:\WINDOWS\yuxuhrjx.txt to yuxuhrjx.txt.old and move it out of Windows. Then continue with the instructions below:

Run HijackThis and fix:
O2 - BHO: (no name) - {F056023C-F1D7-40F3-99AD-2D0BB5BDA4F7} - C:\WINDOWS\system32\awvvv.dll (file missing)

Then run ATF Cleaner making sure this folder is checked to be cleared:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\

I think it already is, because the tmp files in there are all new.

After you've completed the above, please run HijackThis again and check it for that one entry. If it's gone, reboot and rerun HijackThis and make sure it's still gone. Then post a fresh ShowNew (newfiles.txt) log to me so I can see if anything else is coming back.

How is your computer running? I will be traveling and not in as much. I'll ask someone to look at this to make sure your logs are clean.

abri

 

A note to add to post 18. Remember to close all browser windows including this one, before you click fix when you are running hijackthis.
thanks.
interesting name by the way

abri

 

Okay, I ran all those steps. That entry was gone from HJT after I ran ATF cleaner, and gone after I rebooted.

I've attached the Show New log.

The computer is running okay. Though I am noticing more calls on the hard drive than I like to hear, after the last reboot. This was the initial symptom that made me go searching for malware. So check this log carefully.

If this log is clean do you want me to flush system restore, by turning it off, rebooting, and turning it on again?

Also, I'd like to fix problems like this by myself in the future. I lurked here for several days trying to figure out how other people were being helped, and I understood everything except for where all the entries came from that you asked to be entered in Avenger. Many made sense, but some I couldn't figure out. Can you point me in the direction of some place I could learn more about how this is done?

Thanks for the comment about my screen name. It started as a complicated "in joke" (it has nothing to do with my actual name) but then I noticed that it was one of those screen names that was never taken, but tended to be memorable. So I use it on a lot of forums.

The only problem is sometimes people think "Robot" is "Robert." But since I found that avatar, most people no longer make that mistake. Though I wish the text below that avatar was readable, because it says, "Was this monster created by an electronic computer?"

The avatar comes from a poster for the movie CREATION OF THE HUMANOIDS
(1962).

More information than you needed?

 

Oh, also, tell me when I can delete "yuxuhrjx.txt.old."

Thanks.

 

Please run the three standards again, ShowNew, GetRunKeys and HijackThis and attach them. I'll make sure the registry entries are gone. I think they are all clean. I can have you run a rootkit, but I don't know that you'll find anything there. Try Sophos and the AVG Antirootkit and see if they come up with anthing. They can be found here:

http://forums.majorgeeks.com/showthread.php?t=80343

I'm trying to track down what the one KB file starting with Symantec is in your add/remove programs. Since you're not using Symantec, I'm not sure it's needed, however, I'd like to know what it is. Symantec is disagreeable to other antivirus programs, so it might be causing some problems. I will get back to you about this.

My best advice is to continue lurking and to observe what kinds of things infect people's computers and how they are handled. If a file looks suspicious, google it and check more than one website to narrow down what the file actually is. There's a lot of information, but not all of it is accurate. Also, a lot more files are valid than people tend to think. And the other thing which makes removal procedures complicated, is that it's important to get as much as possible all at once so the viruses can't repopulate the computer. Sometimes if you resolve the issues of one virus, you uncover another. As far as deleting files goes, the worst thing that any user can do is to go on a deletion spree. I think if you follow the instructions in the How to Protect Yourself From Malware sticky, you'll also get some good advice there.

It doesn't surprise me that the name originally comes from a sci-fi movie, but in the meantime, it seems the Japanese have additionally developed a robot to carry luggage and have named it Robot Porter, which I found quite funny.

Please upload this here with your next post so I can look at it.

 

Norton used to be on this computer, but I didn't like it and dumped it in favor of the Zone Alarm/Avast combo which I'd been using before.

The name doesn't come from that movie, just my avatar. The name is just some nonsense of my own invention. I tried to track down a picture of the Japanese "Robot Porter" but couldn't find one yet.

The logs you requested are attached.

 

The AVG link seems to be broken. But I ran Bitdefender Rootkituncover, which found nothing. And Sophos which found one file which appears to be a legitimate AOL file, but I've attached the log.

 

Hi Robot Porter,
Sorry I was underway and couldn't get back to you right away. Your logs look free of malware. There are a couple of things left though. I see in HijackThis that Symantec Live Update is still running. We need to turn that off. Also, in add/remove programs you have another Symantec which we may or may not be able to remove. The file you renamed can be removed. Also, Chaslang mentioned that you have two different HP things used for updating that are running and that you might not need both of them.

Please do the following:

1) Please find the yuxuhrjx.txt.old under C:\ and delete it.

2) We need to kill the following service:
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to LiveUpdate
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteLiveUpdate into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but wait to reboot until after running ATF Cleaner further down.

3) Now, please go to add/remove programs and uninstall Symantec KB-DocID:2003093015493306

4) Go to the following webpage and download GetUnKeys

Follow the instructions for running and post the log back. If the Symantec entry in add/remove programs doesn't get uninstalled, we will use this log to create a registry patch to delete it. Attach the getunkeys log with your next post.

5) Finally, please rerun ATF Cleaner, but before you do, open your most recent newfiles.txt log and do a search for
Local Settings\TEMP which is towards the bottom of the page above the uninstalls list. That folder is very full and I wonder if you recognize some of the entries in there? I'm not sure where they're all coming from. After you've run ATF Cleaner, please reboot your computer and finish up with the following step.

6)Finally, I would like for you to post a fresh hijackthis log and a newfiles.txt log along with the GetUnKeys log. After this I will give you our final cleaning instructions and have you set a clean restore point and if necessary, give you that one last registry patch for the Symantec entry.

Thanks!
abri

 

I don't see this in add/remove. The only Symantec file I see is the LiveUpdate progam itself.

Also I looked at those temp files. They look like game files to me. Not sure why they're writing to the temp file.

 

I completed the steps minus the one mentioned below. I notice that file in Show New Log, but it does not appear when in Add/Remove programs.

Further, the GetUnkeys log is too large to upload to this forum.

The other two logs are attached.

 

One other thing, the GetUnkeys link you posted in your message wasn't working for me. I had to search the forums to find that page.

 

Sorry about the bad link and thanks for finding it. Can you zip this log and then upload it? Otherwise, I can possibly tell you what to look for.

I'm looking for the Symantec key to be as follows. It should be in the GetUnKey uninstalls list if it's the right key.


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}]

abri

 

I don't see that file, but I attached the zip log.

 

Hi Robot Porter!

Please do the following:

Disable system restore, reboot and reenable system restore.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot your PC.

How are things working? If everything is okay, continue onto the below steps.

 

Finished with all these steps. Everything seems to be running fine.

Thanks for all your help.

 

That's good to hear.

Happy surfing!

abri