Vurtumonde - Vundo Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by bopper10, Oct 6, 2005.

  1. bopper10

    bopper10 Private E-2

    I am having problems with removal of what appears to be virtumonde/vundo trojan. I have followed all steps in the READ ME FIRST BEFORE ASKING FOR SUPPORT document, along with running Microsoft Anti-Spyware software, along with Symantec repair tools for both Vundo and VundoB with no success, although a few stated they took care of the problem.

    I am running Symantec antivirus version 9.0.0.338 with scan engine 51.2.0.12 and the virus definition file is version 9/28/2005 rev. 7. When I boot the machine I get a program error box with the following heading: fontacc.exe - Bad Image. The text reads: The application of DLL C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\ccatnof.dat is not a valid Windows image. Please check this against your installation diskette. If you close or click OK the box reappears. I also receive a Symantec AntiVirus Notification box stating the Trojan.Vundo threat in the above stated file. The action taken shows: Clean Failed. Quarantine failed. Delete succeeded. Access denied.

    I have run Hijack This and have a log file. There are 4 items found which relate to either fontacc.exe for ccatnof.dat. I am certain these should be fixed, but figured I am probably missing others which Vundo may be using and would be interested in uploading the log for review.

    THANKS!
     
    bopper10, Oct 6, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 6, 2005
    #2
  3. bopper10

    bopper10 Private E-2

    Here is the Hijack This log I got.
     

    Attached Files:

    bopper10, Oct 6, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 6, 2005
    #4
  5. bopper10

    bopper10 Private E-2

    I had already ran the 2 Symantec tools, but did them again to see if I got the same results. I did...nothing was found with either. I could not get the machine to boot to just Safe Mode...I had to boot to Safe Mode With Networking and I ran Ewido and am attaching the Scan Report. I noticed one mention of fontacc.exe in the report, but nothing on ccatnof.dat. There were a few other Virtumondo items found though. I then restarted the computer to normal XP Professional mode and ran "Hijack This" and I am including the new log file generated. Results when I restarted to normal mode are as follows:

    1) I no longer receive the fontacc.exe error message.
    2) I no longer get a Symantec Notification window.
    3) I no longer can see fontacc.exe in the task manager window.
    4) . I have looked around the C: drive a little and found quite a few locations for files related to fontacc.exe and ccatnof.dat. There is a fontacc.exe-03797775.pf in the C:\Windows\Prefetch folder. Also in C:\Windows\Repair there are numerous files related to ccatnof.dat with the following extensions....ini, .in2, .tmp, .bak1, .bak2. All are shaded lightly in my explorer view. There are numerous users of this PC and about 6 of them have a copy of ccatnof.dat in their C:\DOCUMENTS AND SETTINGS\%username%\LOCAL SETTINGS\Temp\ folder
    5) Running applications including explorer are EXTREMELY slow to load.

    I appreciate your timely responses today and look forward to your thoughts at this point!!
     

    Attached Files:

    bopper10, Oct 6, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For all user accounts, you should try to delete all files (that it allows you to delete) in folders like below:

    C:\Documents and Settings\Administrator.ARCDOMAIN\Local Settings\Temp
    C:\Documents and Settings\jreichart\Local Settings\Temp
    C:\Documents and Settings\nlarson\Local Settings\Temp
    C:\Documents and Settings\RHojka\Local Settings\Temp

    You should also run Ccleaner on each account.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {13589181-4F0D-4553-B9F8-B4B72172C139} - (no file)
    O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1.ARC\LOCALS~1\Temp\ccatnof.dat
    O4 - HKLM\..\Run: [pc] C:\WINDOWS\Driver Cache\pc.exe
    O4 - HKLM\..\Run: [*pc] C:\WINDOWS\Driver Cache\pc.exe
    O4 - HKLM\..\Run: [*antidrv] C:\WINDOWS\system\antidrv.exe
    O4 - HKLM\..\Run: [*comtcp] C:\WINDOWS\comtcp.exe
    O4 - HKLM\..\Run: [*antiexp] C:\WINDOWS\system\antiexp.exe
    O4 - HKLM\..\Run: [*vbvga] C:\WINDOWS\msagent\CHARS\vbvga.exe
    O4 - HKLM\..\Run: [*acms] C:\WINDOWS\Fonts\acms.exe
    O4 - HKLM\..\Run: [*utilps] C:\WINDOWS\java\Packages\utilps.exe
    O4 - HKLM\..\Run: [*imgeula] C:\WINDOWS\Cursors\imgeula.exe
    O4 - HKLM\..\Run: [*dbfont] C:\WINDOWS\Driver Cache\dbfont.exe
    O4 - HKLM\..\Run: [*img] C:\WINDOWS\Tasks\img.exe
    O4 - HKLM\..\Run: [*cracc] C:\WINDOWS\msagent\CHARS\cracc.exe
    O4 - HKLM\..\Run: [*mcxml] C:\WINDOWS\msagent\CHARS\mcxml.exe
    O4 - HKLM\..\Run: [*utillog] C:\WINDOWS\Driver Cache\utillog.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: fontacc - C:\DOCUME~1\ADMINI~1.ARC\LOCALS~1\Temp\ccatnof.dat

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\Driver Cache\pc.exe
    C:\WINDOWS\system\antidrv.exe
    C:\WINDOWS\comtcp.exe
    C:\WINDOWS\system\antiexp.exe
    C:\WINDOWS\msagent\CHARS\vbvga.exe
    C:\WINDOWS\Fonts\acms.exe
    C:\WINDOWS\java\Packages\utilps.exe
    C:\WINDOWS\Cursors\imgeula.exe
    C:\WINDOWS\Driver Cache\dbfont.exe
    C:\WINDOWS\Tasks\img.exe
    C:\WINDOWS\msagent\CHARS\cracc.exe
    C:\WINDOWS\msagent\CHARS\mcxml.exe
    C:\WINDOWS\Driver Cache\utillog.exe
    C:\DOCUME~1\ADMINI~1.ARC\LOCALS~1\Temp\ccatnof.dat (search your PC for any more of these and also any of the ....ini, .in2, .tmp, .bak1, .bak2 extension for this file and delete them too. Do the same for all user accounts.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.


    You should run Ewido again on this account and also run it for the other accounts too. But when you boot in safe mode with networking, make sure you physically unplug your cable to the internet so nothing can go in or out.
     
    chaslang, Oct 6, 2005
    #6
  7. bopper10

    bopper10 Private E-2

    I did everything on your list. The only section I had a problem with was the section after exiting HJT. The only files in list of .exe files I could find were a handful of the ccatnof.* in the C:\Windows\Repair folder. All others were not on the system. I have rebooted and rerun HJT and am including the log. While the boot process is extremely slow and firing up some of the programs is slow, I believe this is related to the amount of memory on the PC and not anything related to what has happened here. Most everything seems to be running OK at this point. Let me know if you see anything additional in the log file. Thanks!!!
     

    Attached Files:

    bopper10, Oct 7, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is now clean! Do you have any other malware problems?
     
    chaslang, Oct 7, 2005
    #8
  9. bopper10

    bopper10 Private E-2

    No...that is the only problem I was facing. Thank you much for your assistance!!!
     
    bopper10, Oct 10, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 10, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds