Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Can't Rid Trojan.virtumonde


  • This topic is locked This topic is locked
7 replies to this topic

#1 jgb

jgb

    New Member

  • Authentic Member
  • Pip
  • 4 posts

Posted 21 September 2007 - 06:44 AM

I was plagued by the Vundo virus a week ago, and thought it was removed with VundoFix. But it seems a clone of it is now solidly in my PC.
I am running 2 AV concurrently. I know thats a no-no, but these 2 seem to work well together and are complimentary.
I have AVAST which is a very good firewall, and SPYWARE DOCTOR which is a very good resident scanner.
I threw out PC-CILLIN when it would only warn, but not rid me of Vundo.

Now my startup scan with SW.DR reports the Trojan.Virtumonde is resident. It reports the following...
Process Call....Winlogon.exe (C:\windows\system32\OPNOPOM.DLL)
.......................Explorer.exe (C:\windows\system32\OPNOPOM.DLL)
File.................C:\windows\system32\OPNOPOM.DLL
Startup...........HKEY_local_machine\microsoft\windows\current version\exp...\shellexecutehooks, (c1adc5ed-fb26-4770-afe5-bd3a7eb5c148)
........................HKEY_local_machine\microsoft\windowsnt\current version\winlogon\notify\OPNOPOM,dllname = OPNOPOM.DLL
Registry Key...HKEY_local_machine\microsoft\windows\current version\explorer\browser helper object\(c1adc5ed-fb26-4770-afe5-bd3a7eb5c148)

SW.DR removes all but the file OPNOPOM.DLL. Other boot-up file killers, including Hijackthis cannot remove it either.
I have manually cleaned the registry of all references to this file, but it all comes back at next boot.
SW.DR at least stops it from doing its thing in real-time.

Now I figure that WINLOGON.EXE and EXPLORER.EXE may be infected, and WINLOGON loads well before the boot-killers do, protecting the file.
I asked the question on WindowsBBS if I can deactivate WINLOGON.EXE (by temporarily renaming it, if that can be done) so it won't load and the boot-killers can do their stuff, but no suitable answer so far. Is this viable / possible??
Or would a transplant of a clean WINLOGON and EXPLORER work, assuming they can be replaced?
What about a CD boot to bypass the installed files?

Anyway, here is the Hijackthis log.
A lot of the files that are "missing" were those from the Vundo attack that have been deleted.
I assume it would be OK to remove those lines, but I'll wait for your analysis. There are others that should be deleted as well, if only to clean up the registry.

I really hope someone can help, because I've read this Trojan is very difficult to totally kill.

Thanks in advance
jgb

================================
Logfile of HijackThis v1.99.1
Scan saved at 7:19:35 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\AVast\aswUpdSv.exe
C:\AVast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\AVast\ashDisp.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Quick-Access\ProcessLibrary\qaccess.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\AVast\ashMaiSv.exe
C:\AVast\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis-Scanner\Spywarescan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3D078D49-5C0E-49B6-9E4A-571AECAB9DBB} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {3F5E9987-FD12-408E-3612-018845CDF059} - (no file)
O2 - BHO: (no name) - {41E1D7D5-4908-436A-8A43-04C56659EE5A} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8EFB7906-4BBD-4282-83CB-54675FA9B7AE} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll (file missing)
O2 - BHO: (no name) - {BF1CE9E9-D043-413D-8DDC-061393367AAC} - C:\WINDOWS\System32\ddabb.dll (file missing)
O2 - BHO: (no name) - {C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148} - C:\WINDOWS\system32\opnopom.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C9362C1D-579A-428C-BB24-3479D0E197C8} - C:\WINDOWS\System32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {D4F2C7DF-EC73-4E0B-9E24-DC1E864037F8} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {D960D240-B4D6-45BF-8962-F04BF469CD0D} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EB6D904A-84EF-488C-AF3C-F82C83DBB369} - C:\WINDOWS\system32\ddcyv.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\FlashGet\getflash.dll
O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\fgiebar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\MediaFace-Neato\SetHook.exe
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\AVast\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pofrqmkk.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Vnqfny] "C:\Program Files\Common Files\s?curity\?xplorer.exe"
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Quick-Access\ProcessLibrary\qaccess.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\PalmPilot 515\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AOL-AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75A7C26E-DF48-4502-BA70-BD15CED1C429}: NameServer = 199.166.4.2
O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll (file missing)
O20 - Winlogon Notify: opnopom - C:\WINDOWS\SYSTEM32\opnopom.dll
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\System32\ssqpp.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\AVast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\AVast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\AVast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\AVast\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows - Unknown owner - C:\WINNT\srvany.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

end
----------------------- jgb

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 21 September 2007 - 07:11 PM

Hi jgb and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • NOTE:Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start, if possible.

First, while your current protection is fine for the time being I want to clear up a couple of things for you.

1. You are not running two AV's at the same time, which is good, because that can cause many headaches. Avast is Anti-Virus, and Spyware Doctor is, as it's name says, Anti-Spyware.
2. Avast does not include a firewall. Are you using the free or professional version? The pro version does include a "network shield" which they describe as a "lightweight firewall". Hmm...there are good free firewalls that are not lightweight. I'll cover those at the end.

With that said...let's get to work.

Download and Run ComboFix
  • Download this file from below:
    Here
  • Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
  • Then double click Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 jgb

jgb

    New Member

  • Authentic Member
  • Pip
  • 4 posts

Posted 24 September 2007 - 07:39 AM

Dave Thanks for the reply. I appreciate any help I can get. First, allow me to reply to your 2 points. 1) I never made that difference, so thanks for clearing that up. 2) As for the free Avast not including a firewall, it seems to act that way effectively, versus free SpywareDoctor. SW.Dr. is very active and stops cold any viral activity from starting up, including the current Virtumonde, whereas Avast is silent. However Avast is very active reading my Email (in & out) as well as monitoring web sites, where SW.Dr. is relatively silent. So they complement each other, and in my mind quite well. The system overhead with both running is a low 2 - 3% (as seen by ProcessExplorer) while PC-Cillin alone was around 10% as I remember. So now onto the problem at hand. Upto this morning, SW.Dr. has stopped OPNOPOM.DLL from going active. It blocks it whenever I try to bring up any app. or press a keyboard function. So it has been tolerable. I also learned to IPL the system with MODEM OFF, and turn it on only after SW.Dr. has finished its scan (2 min) and tells me it trapped OPNOPOM. (but cannot remove it) However this morning, as soon as I turned on the modem, Virtumonde rose up with a new active file AWVVU.DLL that called RUNDLL.EXE every 5 seconds, and was stopped by an illegal call, in todays case "Windows Image not Valid", different from OPNOPOM. AWVVU was non deletable, as expected. But, as a normal action, I called REGEDIT and deleted all references to the offending file. Then I had a flash. I rebooted with my Original WIN-XP INSTALL CD and entered the REPAIR option. Flashback to my old DOS days...... I defined my C:\WINDOWS as the repair object, and LO!! I was able to delete both offenders in 10 seconds. This is now obvious, as my C:\Windows\Winlogon.exe and Explorer.exe were not activated, and therefore the malware was unprotected. It then rebooted CLEAN, and SW.Dr. found no occurrence (at least not yet) of Virtumonde. I slapped 1 "aata-boy" on my rear. This may not have killed Virtumonde outright (I only hope it did) but at least my PC is acting very normal. You may want to post this as a (temporary) fix. Get the exact name and location of the offending file(s). I would expect everybody will have a different Virtumonde virus filename. REGEDIT out all references to that file, and close REGEDIT. Poweroff the PC. Do NOT shutdown normal or just reboot. (a precaution) Cold Boot with the XP install CD, in REPAIR mode. Select the "broken" OS, which puts you in an independent DOS mode. Type dir C:\windows\system32\filename (note do only 3 chars of file and *.* ie OPN*.*) to make sure it is there. Type del C:\windows\system32\filename (full filename and .ext) Type exit to reboot. So, the question I have for you, is.. Do you think COMBOFIX will do anything now that the offender files are gone? If you think it will, I will run it. thanks
----------------------- jgb

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 24 September 2007 - 08:13 AM

2) As for the free Avast not including a firewall, it seems to act that way effectively, versus free SpywareDoctor. SW.Dr. is very active and stops cold any viral activity from starting up, including the current Virtumonde, whereas Avast is silent. However Avast is very active reading my Email (in & out) as well as monitoring web sites, where SW.Dr. is relatively silent. So they complement each other, and in my mind quite well. The system overhead with both running is a low 2 - 3% (as seen by ProcessExplorer) while PC-Cillin alone was around 10% as I remember.


Yes, Avast and Spyware Doc. are an excellent combination and a great place to start (I use Avast myself with AVG AS). They both do have real time protection and do well at that also, all without using too many system resources. But I would still recommend adding one of the free firewalls to this mix to make your protection a little more robust. I'll give you some links when we're done.

I'm kind of confused how you really did this "fix". You didn't actually do a repair install? Personally I don't recommend doing them until you are out of other options as sometimes you end up with apps that don't work anymore, and in general a more "sluggish" system, along with some other side affects. Just my experience.

But it doesn't sound like you needed to do that? I'm assuming you used the recovery console to do it correct? That will work too but we have tools that are easier to use for "less experienced" people than yourself. Some people we'd rather not have anywhere near the recovery console.

Post a fresh HJT and I'll take a look to see if it's gone, although I assume you've done that. I would not recommend this method as we have excellent tools to remove Vundo, both VundoFix and Combofix, along with some cleanup after are tested and proven methods of doing this, but cheers to you if you figured out another way. As is the case with most of Windows, there's usually about 5 or 6 ways to accomplish the same results.

So post your HJT and we'll go from there. Many times Vundo also comes along with some other "friends" too, or visa versa.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#5 jgb

jgb

    New Member

  • Authentic Member
  • Pip
  • 4 posts

Posted 24 September 2007 - 12:31 PM

Dave Well, yes I do have some experience with DOS, my very first "PC" was a Tandy Radio-Shack TRS-80 back in 1978. Then onto the IBM 8080 PC, and on up the tree. I have tried all the tools (except Combofix) including VundoFix, and boot-load file killers. Nothing worked. The problem, as you well know is that Virtumonde protects itself by spawning when Winlogon.exe starts, and it seems nothing can load before that happens. So the malware is protected as an "in use" file. Even Safe Mode will not allow me to delete the file. All of the A/V's I've used were able to identify the culprit, so I had no trouble knowing which were the key files to delete. I manually cleaned the registry several times of various entries related to the culprit, but they all reappear the next time I booted up with the modem on. If I boot with the modem off, all is OK till I open my browser (Firefox) and all hell breaks loose. And I agree that is not something (manually cleaning the registry) that I would recommend to a less experienced person to do. I was desperate to get a fix as this was eating productive time. I have already lost over a full week on the PC battling this Trojan. And I've read in several places that it was near impossible to kill, and only a reformat/reinstall would do it. That scared the hell out of me. The key was to find a way to kill the culprit before it can get loaded. That key was to boot the system external to the OS on C:\windows. That turned out to be a boot with the Windows Install CD, and entering the "repair" mode which is akin to DOS in the way it works. I did not do a real "repair" install, just used the DOS console to delete the files on C:\windows\system32\ Since the CD boot does not use hard drive files, the offending files were not loaded and as such were not "in use" and vulnerable. All I did was verify the 2 offending files were accessible by using the DIR command, then only deleting those 2 files using the DEL command. Not rocket science. If a person knows DOS, that mode would be childs play. EXIT and reboot. Tomorrow (I hope) I will redo Vundofix and do Combofix to catch attending files, but I suspect the key culprits are gone. I will then do a Hijackthis and repost the log so you can compare it to my previous log. That may help you. If you don't want to post my fix, fine. But keep it in your back pocket to try before recommending a reformat/reinstall. Thanks jgb
----------------------- jgb

#6 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 24 September 2007 - 01:16 PM

Hi, Yes, the recovery console, very powerful if you know what you're doing. If you know DOS this is a big advantage here. Nice work. I would post a HJT log here first before running any more tools. No need to run Combofix, or Vundofix if not necessary. After that I would also recommend a full Spyware scan, if you haven't already with either your Spyware Doctor or AVG AS. And also an online virus scan, Kaspersky is my scanner of choice, very thorough and doesn't "do" anything with the files. Yes, Vundo is one of the top issues we see in these forums, and I think the "designers" (if we want to call them that) of this Malware are always trying to work around the tools we use in these forums, like Vundofix. Vundofix is still an excellent tool to use but I think you will find many helpers are recommending Combofix now as it does a great job of unloading all those random dll's. Also includes very powerful scripting capabilities and probably would have fixed this one nicely. So post the HJT and we can go from there if you would still like help. And ahh...the TRS80, a little before my time, very little. My first was actually a Mac II. Couldn't do too much with it, but it sparked the interest and like you I moved on the "Wintel" products.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#7 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 28 September 2007 - 05:25 PM

How are you making out here? Still need help? Let me know. Thanks
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#8 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 03 October 2007 - 08:46 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users