Virutmonde and constant sialing-up

Discussion in 'Malware Help (A Specialist Will Reply)' started by evilevets, Jan 19, 2006.

  1. evilevets

    evilevets Sergeant Major

    Win 2K.

    Followed all required steps, except for the online scans. They would not work for some reason.

    Spybot, Adaware and MS all detected a lot of items but most were removed. Spysweeper detects Virtumonde but cannot remove it, even in Safe Mode.

    Also, this machine continually attempts to dial-up, and a Page Cannot Be Displayed box constantly appears, about every five seconds.

    Another weird thing it does, is an IE box pops up with Add/Remove Programs in the tilte bar, with a www dot winfixer dot com address in the address bar.

    Attached is a HJT log.


    Thanks in advance.

    -Steve
     

    Attached Files:

    evilevets, Jan 19, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The link to a fix for this is mentioned in the READ & RUN ME in Special Procedures.

    Try this: Virtumonde aka Trojan Vundo Removal


    Were you trying to run the online scans in safe or normal boot mode?
    Also were you using Internet Explorer as specified?
     
    chaslang, Jan 19, 2006
    #2
  3. evilevets

    evilevets Sergeant Major

    Thanks Chas, I'll try that link.

    Would'nt work in Safe Mode or normal boot. And yes, with IE.



    -Steve
     
    evilevets, Jan 19, 2006
    #3
  4. evilevets

    evilevets Sergeant Major

    I ran the Vundo tool.


    Here is the Vundo log and a new HJT log.


    Thanks,

    -Steve
     

    Attached Files:

    evilevets, Jan 19, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let us know how it works out and attach the log.

    You really need to get your OS updated. You still have plain old Windows 2000 with none of the Service Packs and they are on SP4. You are missing a load of security patches.
     
    chaslang, Jan 19, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we were posting around the same time. You just need to fix one more item in your HJT log:

    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link (this will get your OS updated) Also you have no firewall. You need one!

    How to Protect yourself from malware!
     
    chaslang, Jan 19, 2006
    #6
  7. evilevets

    evilevets Sergeant Major

    Yeah, I plan to get all the updates after I straighten this stuff out.

    I don't think Win 2K has System Restore.

    I either case, here is a new HJT log.


    BTW - Something is still preventing me from doing the online scans. Safe mode and normal boot.



    Thanks,

    -Steve
     

    Attached Files:

    evilevets, Jan 20, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it does not. Sorry about that. I just copied and paste in a boiler plate and forgot to edit it for your OS. Just ignore that part and start working on the How to protect steps.
     
    chaslang, Jan 20, 2006
    #8
  9. evilevets

    evilevets Sergeant Major

    Was finally able to do the Panda Active scan. Attached is the log. It picked up Virtumonde, but I thought I got rid of that.

    Still can't start the BitDefender online scan, and MS AntiSpyware won't connect to server for updates. Just thought that was strange and maybe charecteristic of an infection? All others (Spybot, AdAware, etc) have no problems connecting to server for updates.



    Thanks,

    -Steve
     

    Attached Files:

    evilevets, Jan 21, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have viewing of hidden & system files enabled per the READ ME.

    Boot into safe mode and use Windows Explorer to delete the below:

    C:\WINNT\system32\awvuv.dll also delete vuvwa.* (note: * means anything).
    C:\WINNT\system32\eraseme_07835.exe
    C:\WINNT\system32\eraseme_13272.exe
    C:\WINNT\system32\eraseme_14134.exe
    C:\WINNT\system32\eraseme_24434.exe
    C:\WINNT\system32\eraseme_31267.exe
    C:\WINNT\system32\eraseme_43044.exe
    C:\WINNT\system32\eraseme_58303.exe
    C:\WINNT\system32\eraseme_58883.exe
    C:\WINNT\system32\eraseme_75402.exe
    C:\WINNT\system32\hgdee.dll also delete eedgh.* (note: * means anything).
    C:\WINNT\system32\i
    C:\WINNT\system32\mlljk.dll also delete kjllm.* (note: * means anything).
    C:\WINNT\system32\nnlkh.dll also delete hklnn.* (note: * means anything).
    C:\WINNT\system32\tusss.dll also delete sssut.* (note: * means anything).
    C:\WINNT\system32\ursqq.dll also delete ursqq.* (note: * means anything).

    Now reboot into normal mode.

    How are things looking now?
     
    chaslang, Jan 21, 2006
    #10
  11. evilevets

    evilevets Sergeant Major

    Thanks Chas, but not one of those files appear in C:\winnt\system32. I booted into Safe Mode, and show hidden/system files is set.

    There were seven eraseme_#####.exe, but none matching the ones above.


    -Steve
     
    evilevets, Jan 21, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those are the files that Panda reported. Perhaps some renamed themselves after a reboot. The other eraseme_####.exe file names should be deleted but you may want to do another scan with Panda and see what it is reporting now. DO NOT reboot after posting the log. Also you could try deleting the files yourself without rebooting into safe mode. It could work.

    Just don't delete the below if detected (it's a false positive):


    Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm [HowCanITestDetection.html]
     
    chaslang, Jan 21, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds