TechSpot

Massively infected viao: virtumundo, eraseme.exe, and more

By thorsdecree
Mar 5, 2008
  1. My friend's computer is very severely infected by multiple viruses including virtumunde and eraseme.exe. I went through the 15-step procedure and found a few things, but I doubt it's all of it. I'm posting the HJT log and combofix log.

    Any help appreciated; the problem is still here. There's a dir in documents and settings called 'valued customer' which contains eraseme.exe. There is no 'valued customer' user account, it might have been removed long ago or it might have never been a user, but we think it is the first case. I will remove eraseme.exe it with a linux livecd as soon as possible, but that can't be until tomorrow at the earliest. Thanks for the help!
     

    Attached Files:

  2. FaCt0R

    FaCt0R TS Rookie Posts: 21

    Im not the best at this but i do understand how to read a hijackthis file so start by fixing these entries with hijackthis

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

    O3 - Toolbar: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

    O4 - HKLM\..\Run: [Windows Console] wkssvc.exe


    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Valued Customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O20 - Winlogon Notify: mopwvpgk - mopwvpgk.dll (file missing)
     
  3. thorsdecree

    thorsdecree TS Rookie Topic Starter

    thanks, will do. I can't do that till late afternoon tomorrow or next day even, but she'll be glad to hear someone's helping. I haven't had to deal with vundo in a while and her system is sooo messed up. Thanks for the help and we'll see what that does. Also, would you suggest getting rid of eraseme.exe the LiveCD method or is it known to inhabit some other place, too?
     
  4. FaCt0R

    FaCt0R TS Rookie Posts: 21

    Go to http://virusscan.jotti.org/
    Browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

    To get rid of them download http://www.theabsolute.net/sware/files/deletedr.exe
    alternate site.
    After download, double-click on it to start and browse to the location of the files you want to delete. Choose Delete file on System Restart.


    It may recreate its self not really 100percent sure but try this anyway
     
  5. thorsdecree

    thorsdecree TS Rookie Topic Starter

    Alright, will do. I might be able to do this tomorrow, but might not; I'm leaving town shortly after school's out. I'll post progress then, after running a HJT cleanup and DeleteDR.

    My friend said that at least part of it may be fixed; she hasn't had any random viral messages sent through her MSN account so far, which was a big problem before.

    Thanks
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Here are a few more to delete, some of them have been mentioned,

    C:\WINDOWS\wkssvc.exe
    O3 - Toolbar: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
    O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
    O4 - HKLM\..\Run: [WinDLL (svc.exe)] rundll32.exe C:\WINDOWS\system32\svc.exe,start
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Valued Customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - Winlogon Notify: mopwvpgk - mopwvpgk.dll (file missing)


    You also need to go HERE and follow all the steps exactly as instructed.

    And get some antivirus and a firewall immediately.
     
  7. thorsdecree

    thorsdecree TS Rookie Topic Starter

    I have NOD32 installed on her computer, will install ZoneAlarm once we get these things sorted out. Right now the main focus is removing all the viruses. I'm going to delete everything in 'Valued Customer' next chance I get; I'm out of town until Sunday.

    Until then I told her just to leave everything alone... she decided to delete some random dll's earlier >.< thanks for all the suggestions, I'll perform them and reply asap.

    And, @ above, I already followed the 15 steps, and that cleaned up some of the problem but not all of it.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Don't remove this entry, it is legit because it is in the sys32 folder. if was just in windows folder then you would have an issue
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

    Also see SDBOT infection on there. So you don't want to simply remove this from Hijackthis
    O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
     
  9. FaCt0R

    FaCt0R TS Rookie Posts: 21

    thanks for helping me out on that. Like i said im not a professional.

    I looked up the userinit and it said it was a worm? but id listen to blind dragon hes better at this then me :)
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    entry commonly found in F2 is the UserInit entry which corresponds to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit which is found in Windows NT, 2000, XP and 2003. This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

    ***So basically if it was in a different folder other than the %system% folder then it would be bad, or if there is another program attached to load after userinit

    nddeagnt.exe is ok to have attached after userinit also
     
  11. thorsdecree

    thorsdecree TS Rookie Topic Starter

    K, will do as suggested. The trip's been postponed so I will get a chance to work with her computer tonight. I'll do what you guys said here and post back. Thanks.
     
  12. thorsdecree

    thorsdecree TS Rookie Topic Starter

    OK I did as you said, here's the log
    And, Drag, about the SDBOT infection. You meant not to remove that key with HJT, right?
     
  13. kritius

    kritius TS Guru Posts: 2,084

    It wont just get removed by HJT you would have to manually remove it.
     
  14. thorsdecree

    thorsdecree TS Rookie Topic Starter

    should i perhaps do a system restore to about 2 month ago then delete al the restore points?

    [edit]

    no restores, i removed them last week :\. i'm rm'ing some stuff with gentoo linux livecd right now, i'll post back with any progress.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I was simply saying not to remove the F2 entry with HIjackthis as it is a normal system file.
     
  16. thorsdecree

    thorsdecree TS Rookie Topic Starter

    i'm also seeking help here

    http://www.hellboundhackers.org/forum/viewthread.php?forum_id=32&thread_id=11767#100148

    I've been a member there for about a year ^^ and it has some of the most helpful people I've ever met. I'll still be following up here, though, so if you have anything to suggest, please do so. Thanks for the help through now; korg has never let me down, he's the best windows user , along with Zephyr Pure, I know. Reinstalling is NOT an option; he's taught me that.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...