virtumundo strikes again...other issues too perhaps

I have carefully read over the guidelines and rules of this forum, and have read and complied with the threads:
Read this before asking for help thread
and the
read this before posting hijack this log thread

Here's what's happening:
Ad-aware keeps catching 4 virtumundo related files (2 reg val and 2 reg keys)
My computer is getting slower and slower...everything is lagging the longer this virus (or whatever it is) takes hold

In safe mode, with no other programs running, I have run trendmicro's housecall and it found 12 non-cleanable entries as follows:
TROJ_AGENT.EA (3 times)
HTML_Netsky.P (6 times)
CHM_PSYME.B (3 times)

Then I ran:
Ccleaner
Ad-Aware SE (w/ the VX2 Cleaner Plug-In)
Spybot S&D
CWShredder

I have Hijack This and ran it w/ nothing else running and have not reboot my computer since then. The HJT logfile is attached.

If ANYONE has time to help me...I will be forever indebted to you. Seriously, thank you for any time and assistance.

 

Hi Tarkin789,

This is my generic fix for Stopguard/Virtumundo-related malware infections. You should probably note that I haven’t been having too much luck with Windows 2000 OS machines. Maybe this will change that! Follow the instructions carefully.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Run HijackThis and Check the Boxes for the Following:

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\ADMINI~1.MAC\LOCALS~1\Temp\lmxbac.dat

O4 - HKLM\..\Run: [*fontdb] C:\WINNT\Speech\fontdb.exe

O4 - HKLM\..\Run: [*cabxml] C:\WINNT\ServicePackFiles\cabxml.exe

O4 - HKLM\..\RunOnce: [*cabxml] C:\WINNT\ServicePackFiles\cabxml.exe rerun

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/pthalo/us/win/QuickTimeInstaller.exe

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane)C:\WINNT\ServicePackFiles\cabxml.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINNT\Speech\fontdb.exe
C:\WINNT\ServicePackFiles\cabxml.exe

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
cabxml
lmxbac
fontdb

and DELETE the related files. (We especially want to get rid of cabxml.ini & cabxml.dat & cabxml.bak AND lmxbac.ini & lmxbac.dat & lmxbac.bak + any other related crap.)
It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions. Maybe my luck with Windows 2000 will change!

Best luck
PP

 

argh! I am going crazy here....CPU usage up to 100% with this darn thing.

Okay thanks so much for your reply....i ran HJT and fixed the items you listed then set it up to delete that file on reboot....

running in safe mode....

fontdb.exe and cabxml.exe did not exist when i checked for them

no instances of bkinst
one instance of cabxml.ini that i deleted
then the problem child....found a lmxbac.tmp that i CANNOT delete because it is in use....and as I try to select it...it keeps recreating itself with varying sizes (From 0kb to 4mb and everywhere in between!) I also notice when I hit CTRL ALT DEL that the program cabxml.exe is running....if i end process it keeps restarting instantly and using all my CPU power. and all this is happening in safe mode.

So basically I can't delete the files I need to....any advice? Thanks again sooo much for taking time to try and help.

 

Attach a fresh HJT log. I'm about to head out for a bit - You might first try to delete the file on reboot again and let your machine boot normal and then scan and attach the log. When you delete them on reboot, these troublesome running processes never get a chance to start running!

Sorry if I seem rushed - I am! I'll try to check back - likely tomorrow.

PP

 

PP,

newest HJT log attached....still not able to delete the file. grrrr, what type of person creates these viruses anyway? so evil.

thanks again for any help.

 

Hi Tarkin789,

Try running through the steps again. Looks like you got some of it the first time. Make sure that you are disconnected from the internet.

Also, if you are unable to delete the running process, find the troublesome file and rightclick it and see if it is read only.

Also, take a look in C:\WINNT\ServicePackFiles and see what is in the folder. If it is just cabxml.exe , try deleting the whole folder on reboot.

For some reason, my steps work fine in some instances and fail in others. But, the bottom line is that we must end that pesky process before we can clean the files. The best way to do that is to delete it on reboot before it gets a chance to run.

You could try downloading this tool and see if it can do the job. You might have to try ita few times. Also try it for the whole folder.

http://www.downloads.subratam.org/KillBox.zip

Don't let this ruin your weekend!

Best luck,
PP

 

PP

Thanks sooo much for your help....I think it is gone!

I'm not sure what finally did it....I just kept selecting all the lmcbat and cabxml files I could find and marked them for deletion upon reboot with killbox....then i would restart it in safe mode....the first time or two the files were still there and i couldn't get rid of them...but i just kept repeating that (while each time i rebooted i would run ccleaner and spybot S&D) and after about 4 reboots....suddenly the computer was working normal speed again and the files were gone! (recent HJT log attacheD)

thanks sooo much for your help. any idea how one gets infected with virtumundo? what's the best way to protect against such attacks?

 

Hi Tarkin789,

Well done! Your log is clean - Looks like you got it all!

Sometimes you have to take the iniative and be pretty dogged in your pursuit of this baddie. As for protecting yourself in the future, take a look here:

How to Protect yourself from malware!

I do not think that AV and anti-spyware tools are close to stopping this nasty yet. I think it is a "drive-by" infection - Your browser is in the wrong place at the wrong time. So, you need to be a safe surfer and do what you can.

Best,
PP