virtumundo/stopguard? Please help remove.

Thank you for this site! I have learned so much. My own computer is safe, but I have been trying to rescue a friend's PC who never ran anti-virus, firewall, or anti-spyware, or any updates until now. System restore has been turned off and hidden files and extensions made visible. I have gone through all of the steps in "How to: Spyware, Trojan And Virus Removal" in normal mode, then again in safe mode. I could not do the online scans in safe mode since her SBC yahoo connection could not be made in safe mode with networking.

Many items were removed by the first scan with spybot. Then we loaded Mcafee Virus scan. No viruses were found. Windows service pack 2 was added. Then all scans re-run. CWshredder removed two items.
I have been looking at the threads mentioned in your Stopguard sticky and several seem very similar to her problem. The system slows to a creep when starting programs. The same 4 Virtmundo items continue to reappear each time the computer is rebooted. Then spybot picks up the same 5 DSO exploits in HKEY_USERS about ALTEvents.ALTEvents1... Sorry if this sounds incomplete...I left my exact notes at my friends house. I left her computer running in safe mode and told her not to re-boot. These are the only problems found. AVERT stinger, about:Buster, and Kill2me found nothing. CCleaner was run.

So now I have run the Hijackthis program and looked it over. It doesn't look too bad to me, but I've never seen one of these logs before . There are some O4 items that I don't recognize and Pacman's list does not have them as either good or bad. There is an O2 item that seems to be refering to something similar to the ALTEvents stuff found by spybot (CATLEvents Object). Also not sure if I should delete the R1 and R0 itms that have entries such as search bar = about:blank.

Help would be appreciated since I have spent 3 full afternoons doing scans and her system is still so slow as to be unusable. Not sure what else to do, and I'm afraid to 'fix' anything with Hijackthis since I'm unfamiliar. I also searched for some files similar to Hulagirl's post since the problem was so similar. I found bkinst.exe in the system32 folder. There were two other files with "bkinst.exe" in the filename followed by a bunch of numbers and .pf.
Should I delete these? Any others?

Thank you for any help!

Ginny

 

Ugh! Sorry, I just noticed that I need to reboot into normal mode then run the HijackThis. Is there anyway I can repair it without rebooting? If I reboot, does that mean I will need to go through the Adaware and spybot scans again since I know that those same items will reappear?

Thanks for the thorough instructions...in my stress and fatigue I missed that normal mode. No wonder the HJT log is so short and pretty easy to read. Though safe mode doesn't seem to have any effect on stopping the virtumundo/stopguard problem.

 

Hi Ginny,

DSO Exploit is bug in Spybot - The new version should correct it.

You also have a StopGuard infection. Please take a look at the threads in this link for similarities (it looks like you might have already done this ):

StopGuard or WinFirewall Problems?

When you finish with the Tutorial, send us a Hijack This log, as per these instructions:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there Sorry I'm a bit rushed! I'm kinda tied up right now, but I'll try to check back when I get a chance.

Best,
PP

 

Well thanks for the quick reply. I have the current version of HJT and I am pretty sure which entries are the bad ones, but it seems that you guys always seem to be able to tell people how to root out all the file names to get rid of this thing. I am attaching my HJT log (but it was run in safe mode). I will re-run in normal mode tomorrow, but I want to fix it if I can from safemode where the computer is actually usable. (See my second post just before your reply). Let me know if it is totally unacceptable to fix while in safe mode without re-booting to normal.

 

Hi Ginny,

If you have rebooted since scanning for that log, I'll need a fresh one - this malware generates random names for the .exes on each reboot. Let me know.

We should be able to do this in Safe Mode.

PP

 

No, I haven't re-booted yet. It is still running in safe mode, though. I left strict instructions for everyone NOT to turn off the computer.

 

I'll throw something together for you - Give me 30 min or so.

PP

 

Ginny Fix:

Hi Ginny,

Here you go. I whipped this up pretty quickly, so it is definitely a use at your own risk proposition!

This is my Generic Cleanup Procedure - I'm still working out the kinks!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them, if possible:
cabmsvc.exe
wmssvr.exe
rasmc.exe
mfcreg.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete cabmsvc.exe ( or any cabmsvc or cvsmbacentries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\JEANNE~1\LOCALS~1\Temp\cvsmbac.dat (file missing)

O4 - HKLM\..\Run: [*wmssvr] C:\WINDOWS\security\Database\wmssvr.exe

O4 - HKLM\..\Run: [*cabmsvc] C:\WINDOWS\cabmsvc.exe

O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\system\wavedrv.exe ren time:1100055068

O20 - AppInit_DLLs:

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane
C:\WINDOWS\system\wavedrv.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE again by tapping F8.

You may receive an error message after rebooting that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:
C:\WINDOWS\cabmsvc.exe
C:\WINDOWS\security\Database\wmssvr.exe
C:\WINDOWS\system\wavedrv.exe
C:\WINDOWS\AppPatch\mfcreg.exe
C:\WINDOWS\Tasks\rasmc.exe

THEN:
Use Windows Explorer to run a search of your computer for:
cvsmbac
cabmsvc
wavedrv
wmssvr

and DELETE the related files. (We especially want to get rid of cvsmbac.ini & cvsmbac.dat & cvsmbac.bak AND cabmsvc.ini & . cabmsvc.dat & cabmsvc.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. It does look like some of your anti-spyware tools already found some of the baddies!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot, rescan and Attach a fresh HJT log. Let me know of any problems that you may have encountered with the above instructions. I'll check back when I get a chance - likely in the wee hours tomorrow.

Best luck
PP

 

Thank you!!! It worked like a charm. By the way, I also did delete 3 files with the bkinst.exe type name since this looked like a bad guy in a lot of the other threads with this problem on the web. Several boot ups in normal mode revealed nothing strange and no unknown processes running. Back up to full speed online and offline.

I have seen several forums dealing with this same issue, but your site gives the most straight forward, easy to do fix.

I am a little unnerved by the fact that after fixing everything I had to go online (Firewalled and running spywarebuster, everything cleaned, but no working antivirus) to download a 'fix' suggested by McAfee if having installation problems. Got the fix that doesn't work, but also got 19 Virtumundo items found by Adaware and 1 virus/trojan found by AVGfree after giving up on the McAfee products. I'm a little nervous that I got the Stopguard thing again, but the Hijackthis log looked clean with no unrecognized lines. Will keep an eye on it.

Is there anything better about the high $ McAfee/Norton virus scanners compared to AVGfree? Are there better free antivirus scanners? The McAfee would not let me load more than one product (ie. Firewall, then antivirus packages)--some problem with registry keys that absolutely wouldn't let me clean, even after setting protections.

 

You're welcome! Glad to see that things are looking up I figured you got rid of the bkinst.exe since I didn't see it. I have come to believe that it is one of the master .exes associated with this malware.

You should have seen my first few threads dealing with this back when we didn't know what it was Finally, I was able to come up with a relatively easy procedure - of course, the burden is on each user to find all of the remnants & this baby likes to resurrect itself!

If you get it, you'll know it!! I'm amazed how powerful the little bugger is. It can make your computer grind to a halt. I also do not believe many (if any at all) AV or Anti-Spyware products have caught up with it yet. They label it Virtumonde, but I think StopGuard is only similar to that baddie in a few ways. The tracks are different.

People here seem to prefer AVG and Avast. If you are going to spend money on AV, go with Kaspersky or Nod32 - They are far and away the best IMHO.
Plus, there are a number of good, free personal Firewalls like Sygate and ZoneAlarm. Take a look at Chaslang's recommendations: How to protect yourself from malware!

Anyhoo, I'm happy we could help you out. Let us know if we can be of further assistance!

Best
PP