Heaps of trojans - Win32/Virtumonde.gen, Win32/Conhook.C, Generic5.BQK bplyksfo.dll

Hi, my brother and sister have filled their computer with a heap of trojans.
AVG anti-virus is picking some of them up but never seems to rid of them. I have run all the scans so far but I have no idea if they have gotten rid of anything permanently. I didnt run an online virus scan because we only have dial-up and it takes about 5 hours and then doesnt finish, it doesnt respond for some reason. Attached is the combofix log and HJT log.
Below is the names listed in the virus vault of AVG:
Win32/Virtumonde.gen
Trojan:Win32/Conhook.C
Generic5.BQK - the infected file is bplyksfo.dll
Changed - WINDOWS\System32\Kernal32.dll
Collected.11.B
Generic5.CF
Generic4.XZM
Generic4.SLB
Generic4.SLZ
Clicker.GBX
Clicker.GGA
Lop.CC
Lop.BN
Lop.CA
Lop.BM
Lop.BQ
Generic5.GQ
Generic4.YAR
Generic4.OUN
Generic4.OAR
Generic4.DRR
Backdoor.Generic6.EFC

hi jadeo9.
well it looks like you have done quite a reasonable job on the initial cleanup. there seems to be only a couple of unnecessary programmes and missing files (BHO's) that are part of vundo and downloaders.
sit back and wait for momok to get to you. he is the cleanup expert at the moment.
you really need to scan more on downloads and don't trust everything sent to you in e-mails or by friends sending sms. even scan Cd's that are compiled by friends and passed on to you

Hi,

I thought your HijackThis log was fairly clean, but almost had a shock looking at your ComboFix log. It's one of the worst infections I've come across so far.

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: (no name) - {9A05E78A-5E83-48F1-AEF4-C0F3D7F371E3} - C:\WINDOWS\system32\bplyksfo.dll (file missing)

Close HJT.

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

momok

it was a doozy wasn't it

Yep just look at the files I have to remove in Combofix-Do.txt haha =)

i seen the combo log. it looks like the info file @prevx site

Thanks for all your help so far. Like I said it is my brother and sisters computer and them seem to have no idea when it comes to the internet, they cant even run a virus scan. I only get back home once a month and i dont always have time to see what they have been up to. They spend a lot of time on messenger and i think that is where some of the infections have come from. Will post the logs ASAP!

take your time. we will all be still here:wave:

completed fresh hijack this, combofix and AVG anti-spyware scan. the logs are attached. after running combofix in safe mode and re booting in normal mode the computer was very sluggish and was slower than ever before it froze once during the AVG scan so i restarted and ran the scan again.

just to clarify, combofix3 is the scan completed in safe mode. combofix4 is the scan completed in normal mode i ran after hijackthis.

Hi,

We got a tricky infection on our hands.
Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and ComboFix log.


Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

your log looks as clean a whistle. momok may be able to find something, but cant.

attached is the avenger, hijackthis and combofix logs. after completing the avenger scan I can no longer connect to the Internet, it has deleted my dial-up connection. i tried to establish a new connection but it wont let me choose dial-up only option is broadband which we dont have. so i had to post these logs by copying them to my usb and using my friends computer to post them.

you may well need to istall your modem first

Hi,

I'm afraid that would be my fault, not the program. I apologize for any inconvenience caused. I had missed a single line mixed in with the rest of the infected files, which I believe is the required file to run your connection.
Please go to C:\avenger\backup.zip and open it.

Search for an schannel.dll file and extract it to this file path:
C:\WINDOWS\system32\schannel.dll

It might have been renamed, if so, change the name and extension back to schannel.dll.

Try running your internet connection again after this and see if it works.


#Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I have completed the steps above and the schannel.dll has been put back in the right spot but still i have no internet connection. after i replaced the file i ran the scans again, attached are the logs.

Hi,

All your logs look clean. With regards to your internet connection, I'm not quite sure what seems to be the problem. Are you able establish/create a new connection?

Have you tried reinstalling modem drivers as tomrca suggested?


Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

that's great about the infections being clear, but the computer is actually way slower than it was with all the trojans and viruses. so maybe we got rif of some other files that might be important?? i duno really, just a suggestion.
how do i install the modem? the computer is fairly old and i dont think i will have a disk or cd (i will have to dig for it). can i check in the computer hardware section for information on the modem? then maybe i could download the installation file from the internet (at my friends place).
as i said earlier, i tried to start a new connection but it won't let me choose dial-up, the only option is broadband which we dont have.

Hi,

I've checked my instructions again; there isn't any other wrong files we fixed accidentally. Your system is slow because Windows defender and Zone alarm are both on. That takes up alot of resources.

Go to Control Panel > Security Centre and turn off windows defender. It is pretty much crap IMHO. Hopefully that should speed up your computer.

May I also suggest that you read this thread here on how to speed up your system.

May I just check with you, how did you attempt to start a new connection?


Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I went to control panel > network connections - our dial-up connection was not listed so i attempted to create a new connection.
New connection > connect to the internet > set up connection manually > then i couldnt select the dial-up option (it is in grey), it would only let me select the broadband option which is useless to me.
So something has gone wrong after avenger because it was there before working fine and now it has deleted my connection and wont let me create a new one. I went to the hardware section and it says my modem is working correctly. what to do??

Hi,

If this reassures you, I went back to the avenger instructions I provided and checked through every single entry I typed twice. There are no other erroneous entries apart from schannel.dll which you have already replaced.

It is possible that sometimes after an infection, some system files are damaged or corrupt. It is likely that that is what happened in your case, since your modem drivers are fine.

I would suggest that you do a repair via this thread HERE.

Please let me know if everything is alright after this.


Regards,
Your friendly momok =)

This thread is for the use of jadeo9 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.