TechSpot

Malware (Virtomundo & others) issue: HJT log

By haz
Jul 22, 2007
  1. Hello --

    This is my first post as a member, and unfortunately, it has to do with my infected home PC. Right off the bat, I'd like to thank you folks for posting this very useful information and helping us *****s out. Having a virus on your computer is no fun at all.

    The story: a few days ago (Wed, the 18th), I downloaded and opened an unknown executable, which I thought was another benign program. My Symantec Norton Antivirus immediately detected and quarantined numerous infected files (perhaps ~20), with names like "Downloader", "Trojan", "TrojanHorse", and "Virtomonde". After running various scans with Norton, SS&D, etc. and searching on the web a little, I encounted a useful program called VundoFix. I ran it, it seemed to work, but then after I rebooted my computer and started Explorer again, everything was back (Norton detected a couple more "Downloader" and "Virtomonde" files, which it failed to quarantine). Is this "Downloader" reinstalling the virus on my computer when I reboot? Very devious.

    The only symptoms I noticed on my computer were:
    1. Pop-ups
    2. the presence of "My Way Search Assistant" in my Add/Remove programs list
    3. the presence of "Outerinfo" in my Start menu.
    4. the presence of a few unknown (and probably malicious) "add-ons" in my "Manage Add-ons" window of Explorer. Even if I tried to disable them, they would be enabled again later.

    I dug deeper on the web, read more, and decided that I really did want to clean this rather than do a complete re-install of Windows. I encounted this forum, and printed out the instructions at http://www.techspot.com/vb/topic58138.html

    This morning, I followed the instructions step-by-step, with my computer disconnected from the internet (so I skipped Step 3: online scan). Several of the programs (including all three of the Virtumonde "tools") detected, eliminated, and/or quarantined infected files. Norton, SS&D, and Adaware didn't find anything. The Rootkit scan didn't find anything either. However, I still don't know if my computer is clean. I have yet to reconnect to the internet, and wanted to pass this HJT log by you guys before I do so. I also uninstalled all my old versions of Java.

    As requested, I've attached the final HJT log, the AVG log, and the Combofix log. I have others, if you need them (including the most recent VundoFix log).

    I'm fairly good with my PC, and would be comfortable editing my registry if that becomes necessary. I am embarrassed that I opened an exe that had no right to be opened, and am a little worried that personal info on my PC was transfered to some schmuck.

    Any help/advice you could offer would be very much appreciated.

    -- haz
     

    Attached Files:

  2. haz

    haz TS Rookie Topic Starter

    help?

    Hi all --

    I know this is a bump and that you guys are probably busy, but I'm still freaking out about the infection on my computer and am afraid to connect to the internet until I get this cleared up. Just hoping someone can give me a hand with this... Thanks again for your time...

    -- Haz
     
  3. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    I do see remainders of infections on your system.

    It seems that some of the worst stuff is already gone. In some cases, it's better to reformat than to clean, but we might as well go ahead and clean, since the process has been accelerated by ComboFix and the other tools.

    1. Run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [http]www.dell4me.com/myway

      O2 - BHO: (no name) - {18A7F689-8C8D-4375-A92F-561A4323062B} - C:\WINDOWS\system32\awvvv.dll (file missing)
      O2 - BHO: (no name) - {50904833-3478-4C47-A2AC-A9D7F98984C8} - C:\WINDOWS\system32\pmkjh.dll (file missing)

      O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [http]www.popcap.com/games/popcaploader_v6.cab

      O20 - Winlogon Notify: winzwr32 - winzwr32.dll (file missing)

      O21 - SSODL: SysRegClass - {356B3A99-01D7-512D-113C-EBA850C10473} - (no file)

      Close all open programs except HijackThis. Click the Fix Checked button. Wait until it's done fixing, then close HijackThis.

    2. Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

      Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

      [​IMG]

      This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply.

    3. Post the log resulting from the CFScript, as well as fresh HijackThis and ComboFix logs, as attachments into this thread.

    Regards :)

    This thread is for the use of haz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  4. haz

    haz TS Rookie Topic Starter

    mahalo

    Thank you, Kitty500cat!

    I fixed with HijackThis, ran the ComboFix script, and re-did a ComboFix log and HJT log.

    BTW, I think your script deleted a free downloaded game, Peggle, from PopCap games. I don't think this was the root cause of my infection. However, I would not be surprised if some malware was attached to it, and it doesn't bother me to lose it.

    I still have yet to reboot my computer since starting this whole process. Should I go ahead and see what happens?

    Thanks again! Logs attached:
     
  5. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    You're welcome.

    The cleaning process is almost done.

    I believe that the CFScript did remove Peggle. I'm not sure if that game itself is adware, but another product from the same company (PopCap) is adware. See HERE for more information.

    Please navigate to www.virustotal.com.

    Click the Choose... button.

    Navigate to the following file:

    C:\SYM_REGISTRY_BACKUP.reg

    Click Open. Then click Send File.

    Wait until it's done scanning; then copy and paste the results into a Notepad file and save it on your computer. Attach the file in your next reply.

    Go into Add or Remove Programs in your Control Panel and remove anything having to do with Viewpoint. As I understand the license agreement, it sends information about the content it plays back over the Internet to the company's servers. Thus, it is classified as spyware. See HERE for more information.

    Then redo the CFScript instructions, only this time use the script attached to this post.

    The CFScript will remove a malicious file that I missed the other time, as well as the one Viewpoint folder, in case uninstalling didn't fully remove it.

    Please post the CFScript log.

    Regards :)

    This thread is for the use of haz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  6. haz

    haz TS Rookie Topic Starter

    Hi --

    I wasn't able to get the Registry Backup file scanned. The website eventually said that it was too large a file. I can however tell you about this. I made this backup of my registry *after* my computer had been infected (the next day), but before I started using some of the programs and tools I had downloaded from the web to rid myself of the infection. That probably sounds stupid (and hopefully it's not a problem), but I was worried that these scanning programs might affect my registry so much that my computer wouldn't boot back up. I figured it couldn't hurt to have a backup just in case. Should I just delete this backup? Can it do any harm to my computer?

    I couldn't find Viewpoint in my Add/Remove programs, but when I did a search for it on my hard drive, I found it located in a few places:

    1. C:\Program Files\Viewpoint
    2. C:\Program Files\Common Files
    3. C:\Program Files\AIM\Sysfiles

    The last of these actually contains an executable named [viewpoint.exe]

    Also: can I simply delete the "Outerinfo" entry in my Start Menu?

    BTW, I like how the ComboFix log dates everything that was recently installed on the computer. Very useful. If it helps you, I was infected the evening of the 18th (around 8pm).

    Here's the new ComboFix log...
     
  7. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Awesome, everything looks good now.

    You can delete any references to OuterInfo. It's the name of an adware-publishing company.

    ComboFix deleted C:\Program Files\Viewpoint; you can probably remove the Viewpoint folder in C:\Program Files\Common files as well. As for the last location mentioned, you can probably let that go. You should delete the SYM_REGISTRY_BACKUP.reg file; otherwise, it could damage the registry if you accidentally open it.

    Please follow these last steps yet.

    Delete all files in AVG Anti-Spyware Quarantine folder (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine).

    Turn off system restore. See how HERE
    This will remove all your system restore points, including any malware hiding in them.

    After that turn system restore back on.
    This will create a new, clean restore point for your system.

    Visit the Windows Update web site (http://windowsupdate.microsoft.com/).
    Be sure to install all of the high-priority updates; these will help secure your system. You should do this often; or, better yet, enable Automatic Updates in your Control Panel.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article. This can help to prevent future infections.

    Should you have further virus/spyware problems, please post in this thread.

    Regards :)

    This thread is for the use of haz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  8. haz

    haz TS Rookie Topic Starter

    Hi kitty500cat --

    Things are looking great so far! I've rebooted, and nothing negative has come up. Thank you again for all your help.

    I didn't find an AVG Quarantine folder, but I did delete the files from within the program.

    There is also a "C:/Qoobox" folder. Should I do anything with this, or just leave it alone?

    And one last question: as I mentioned earlier, there are around 29 items in my Norton quarantine. Should I do anything these these? If I ever uninstall Norton in favor of another anti-virus program, what happens to these items?

    I can't tell you how grateful I am for this guidance. This forum has been invaluable, and I've put a number of the security suggestions mentioned at that article you linked in place already.

    Cheers --
    Haz
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...