I think I've cleaned my PC, could someone please check logs and confirm

[withnail]

Hi people,

So yesterday I installed some questionable software on my machine and in with the installation file was another .exe which I believed to be a necessary component. Obviously it wasn't and shortly after running it ESET intercepted this:

t655.dll a variant of Win32/Adware.Virtumonde.NBE application

I ran ESET and Adaware which showed nothing but today my PC was running a little slugishly, explorer crashed occasionally, web surfing was slow and although I could access google I could not perform a search.

Remembering this site from a while back (thanks again for that) I ran all of your steps and believe I have fixed the problem. Malwarebytes found Trojan.Vundo.H and removed several items. I've included two logs as one item remained after a reboot.

Immediately my machine was running as normal and
Superantispyware found nothing.

I've also included the Hijackthis log, I have already removed O20 - AppInit_DLLs: xrvucj.dll as this was clearly no good but would appreciate it if someone could confirm that there isn't anything else.

Thanks in advance.

Withnail

 

[rf6647]

Restart the computer & re-run HJT.

Findings:
C:\WINDOWS\system32\msiexec.exe
O20 - AppInit_DLLs: xrvucj.dll


I could not find source for "msiexec.exe".
Hasty look through support sites show "msiexec.exe" as a nasty. However, it was not tied to "xrucj.dll".

If either or both of the findings appear, repeat all steps & repost.

 

[withnail]

Thanks for looking at my logs.

As I said before, I had already removed O20 - AppInit_DLLs: xrvucj.dll. The other entry you mentioned was not present when I did another Hijackthis scan a minute ago.

Can we conclude I'm clean now?

 

[SpiritWind]

Hi :

Sometimes to make sure ALL the Vundo/Virtumonde has been detected, people
run the FREE "VundoFix" program .

And unsure IF you are aware of the NOD32 Support Forums at Wilders Security
and the recommendation by "Blackspear" & his "Extra Settings" at
www.wilderssecurity.com/forumdisplay.php?f=16 !?

 

[withnail]

Good advice SpiritWind, but I had already run the fix and set up ESET.

 

[rf6647]

Yes, then you are clean. If you can name the exploit that bit you, it may serve as a warning to others.

When it comes to malware, I am a lightweight. Spiritwind offers specific recommendations where you can go the extra step for the family of malware being presented in your case, and for the protection you are using.

Since the o20 entry got by the cleaning steps, I can hear the usual refrains: 1) Is Wndows security current; 2) Is your protection up-to-date?

 

[withnail]

Thanks both of you for your help.

Everything is up to date and current (and for the most part I only run genuine software or freeware). The culprit I think was a lite version of Photoshop CS3 I downloaded from mininova. It came as a self-extracting exe which initially didn't work, I opened it with 7zip and inside were two files CS3 lite and a file named is165835.exe

I scanned both files and they looked OK so I then ran them. I'm 99% sure this is when the problems started. CS3 Lite incidentally is still installed and running well.