wvUlllMf (aka as Virtumonde) hidng out in Winlogon

Thank you in advance for any advice regarding my toshiba laptop malady. I've performed all the 'READ & RUN ME FIRST' and attached the logs. Albeit, according to Spybot's -> Advance Mode -> Tools -> System Startup - I've got a wvUllMF . dll hiding out in a possibly fabricated WinLogon sequence.

Background: On Wednesday night, Aug 6 I started experience problems with my browsers, ie redirects, porno ads, and anti-malaware download popups on PC startup. I use both IE6 and Firefox 1.5.

I already had Spybot on my computer and ran it almost daily faithfully. It identified 3 Virtumonde trojans, altho it wasn't able to get rid of them. Ended up downloading Malwarebytes and ccleaner. That seemed to have reduce the Virtumonde infections down to the remaining one previousily mentioned. Please note they were idenfied in these programs as wvUlllf.

I also was running Norton Internet Security 2008. It has since been removed aided by the Norton removal tool. And replaced with Avast. Altho, I haven't been able to figure out or manually remove its quartanine file.

Prior to Norton, I had Trend Micro 2005 and it should have been removed also. Altho, i can see remnants of both in the log files.

Also as of today, I uninstalled Spybot & Malwarebytes and then reinstalled them for the 'READ & RUN ME FIRST' procedure. Altho, through the Spybot run - the re-install automatically included the 'teatimer', even tho on download and intital update I specifically requested it not be downloaded. I caught that and turned if off after the Spybot run, and prior to the Malwarebytes, Combofix and MGTools run.

Please help me get rid of this wvUlllMf and any other nasties it may have downloaded. It's like the mothership and calling in reinforcements when it can. Just when I think I'm clean - all the sudden I'm re-infected again.

(And apologies for the lengthy background - just thought I'd better clarify where, when and how I got to this stage.)

 

Here's the malwarebytes log...

 

Thanks Tim!!!
I'm at work right now and we'll run these fixes on my laptop tonight when I get home.

 

Hi Tim,
Apologies for not getting back with you sooner Unfortunately I wasn't able to run the instructions until this Saturday morning. Attached is today's MGlogs.zip.

Two things:
- I was not able to find the winvsnet.exe to delete. I looked for it in the directory indicated - not there. Then I ran a windows search - not there. Then I checked the directory and searched for it in safe mode - not there.
- I checked Spybot's 'system startup' (in the tools section) again after running the MGtools and unfortunately the wvUllMF . dll is still hanging out in there. If you would like I can 'export' the system startup information in Spybot as a .txt file and attach that for you? I'll refrain for now - until I hear from you.

Oh here's a few other strange things:
- I got a chance to run Spybot a few times this week (usually when I'm walking the dog in the morning) and each time there was nothing to delete. Very odd - usually it finds a zedo, or some other markeing cookies to delete.
- I ran Malwarebytes Anti-Malware once this week and the first run indicated an infection, but for some reason before I could perform a 'delete' action, the program shut down on me. When I ran it again, there was nothing found to delete.

Have a great weekend.
Hope to hear from you when you get a chance. I am able to hang out on the internet without a problem (ever since I updated java), albeit I'm not doing any thing that would require entering passwords of any sort. (Altho, I do need to sooner or later.)

 

Hi Tim,
Me again... I performed the instructions and today's MGlogs is attached.

I did reboot after completing the instructions and unfortunately the wvUllmf . dll is still showing in the Spybot 'System Startup' report.

If you would like I can export that to a report and attach it. Again, I'll refrain from attaching it until I hear back from you.

Thanks for all you help and staying with me.

 

Thanks Tim.

I attached the spybot system startup report. wvUlllMF is the very last entry.

Please note that when I first uncovered this thing, Aug 6, one of first things I did was check the add/remove programs and noticed all of my spyware (spybot, Norton, adaware and remove programs I had forgotten about when I the Vundo virus in 2005) had been touched and it was in the one day in the FUTURE -Aug 7! I went through and removed all these and then reloaded them. Spybot & Norton continued to find the Vundo and Virtumonde infections. And I was still having problems with redirects and unwanted porno and spyware ads. I downloaded the latest java and that seem to have fix the redirects and ads. Altho, this wvUlllMF . dll won't go away. So I found you all, removed Norton completely (replaced with AVAST a few days later) and downloaded all your tools and ran them in both normal and safe mode. Spybot, Malwarebytes and SUPERAntiSpyware all indicated they found a Vundo or Virtumonde and fix it. Altho Spybot 'System Startup' report continues to report this damn .dll.

And finally to answer your question - yes I've check the startup in both MSCONFIG and CCLeaner and can't find it there. Also in the beginning I ran a system search and found the wvUlllMF . dll and deleted it manually. But it keeps appearing in the 'System Startup' report in the WINlogon sequence. I uncheck it and two second later the entire Winlogo sequence is rechecked. At one point I unchecked everything in startup and it (the WINlogon sequence) rechecks itself.

And finally, finally I noticed in the last two weeks that Spybot & Malwarebytes never finds any cookies nor infections. Which leads me to think these programs are malfunctioning. I've uninstalled and reloaded Spybot and Malwarebytes and its innards (for lack of a better word) many times hoping to get a fresh run to no avail.

Its almost like - once this thing gets touched by one remove program it hides and regenerates itself somewhere else.

Apologies for the history report. But, I need to get this off my computer, I haven't used any of my banking (even changed banks) nor buying programs once I realized it was there and I've got a whole lot of donating to do - to good folks like yourself !!!

 

Here's the report from Bitscan. My system almost crashed when it deleted the Vundo . Fhh. There's a trojan . crypt . o that it wasn't able to delete tho.

Thought I'd also mention that wvUlllMf is still appearing in the spybot 'system startup' report. I unchecked everything in the startup, clicked out of the spybot tools and then went back to it and again the Winlogon sequence was rechecked, as well as a 2nd 'C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe' appeared that also checked itself.

Look forward to hearing about the latest.

 

Apologies for the delay in getting back to you. Attached is the avenger log and the latest mglogs.zip file. Please note that the spybot's -> tools -> system startup still reports that wvUlllMf . dll is still hanging out in winlogon after running the avenger instructions.

 

Tim,
I was thinking that too. Altho, I ended up going in to regedit and did a find on 'wvUlllmf' and found it under Windows NT -> Current Version -> WinLogon -> Notify_Disabled. And there it lies in its own little folder. The right window has this to say:

------------------------------------------------
(Default) REG_SZ (value not set)
Asynchronous REG_DWORD (0x00000001 (1)
DllName REG_SZ wvUlllMf.dll
Impersonate REG_DWORD (0x00000000 (0)
Logoff REG_SZ f
Logon REG_SZ o
------------------------------------------------

Also, I checked the other winlogon folders and they all have an 'impersonate' type thing in each folder too - is that normal?

Any advise you may have would be much appreciated.

 

I think its gone. I'll run some add'l spyware programs in case it renamed itself. But, I can no longer find it in the registry by the name wvUlllMf nor in spybot under the tools -> system startup. The winlogon sequence (for lack of better word) is still checked. But, it looks normal.

Thanks for hanging in there with me. I'm going to give it a few days before I use any banking type programs. Then you all will get a donation.

 

ops...forgot to mention - I received a 'success' msg when the regedit4 was ran.

 

Sorry peoples - still having problems. I performed all the 'clean up' instructions and after the reboot and just for kicks, I did a windows search on 'wvu*' and guess what I found. wvulllmf hanging out in the following:

- wininit c:\WINDOWS 1kb Configuration File Date created: 8/10/08 Date modifed 8/17/18. I opened the file and it contains

=====================================
'[rename]' then 'c:\tempjunk3647.tmp=C:\WINDOWS\SchedLgU.Txt_tobedeleted
nul=c:\tempjunk3018.tmp
c:\tempjunk2553.tmp=C:\WINDOWS\SchedLgU.Txt_tobedeleted'
---(about 9 times)---
then the last line is:
'c:\tempjunk3018.tmp=C:\WINDOWS\system32\wvUlllMf.dll'
=====================================

I looked up wininit and found that it is a legit vista exe. Unforuntately, my system is XP. Could this be WOLLF.16 virus?

- Then I found wvulllmf surrounded by a whole bunch of startup code in 'CollectedDate_02524 'c:Windows\PCHealth\HelpCtr\DataCol 1072kb XML Doc Date created: 8/25/08 Date modifed 8/25/08'

Since this started I wondered what PCHealth is and looked it up and some say its a toshiba (which my laptop is) utility others mention trojan W32.Cone worm-

I didn't open the following but there's also a regLocal and regUsers registration Entries created on 9/21/2008 both approx 23,000kb at 11:39p that was returned during the windows search.

Other symptoms of still being infected:

I uninstalled and reloaded spybot (without teatimer) and it still is not identify any problems. Nothng, nada - not even a cookie.

My Avast! Home Version 4.8 'Resume Provider' is greyed out. I'm new to Avast and not sure if that's the way its supposed to be.

Do we start over? New thread? Or are these fixes?

Sorry!!!






-