[Resolved] Trojan.Virumonde Persistant Issues

[stangpride]

Good Evening,

This is the first time I've posted here since I've joined TechSpot. My sister requested I assist her with her computer, as she had a virus in it that kept reappearing after other people have supposedly "helped" her. She purchased this pc in April of 2005. As I am by-the-book in my attempts to do things correctly the first time and refuse to take "short-cuts" and she realizes this, she finally requested my help. I've now spent no less than 22 hours following the procedures in TechSpot's Viruses/Spyware/Malware Preliminary Removal Instructions, trying to be thorough in the fix, so she will not have to deal with this problem anymore. I am now ready for some assistance in getting rid of this trojan once and for all on my sister's desktop pc.

For starters, her desktop is a Dell Dimension 2400, Intel Celeron CPU 2.4GHz, with 256 MB RAM (yes, I know, utterly zero RAM compared to current standards), and has a 40GB HDD. She is running WinXP Home Ed., with SP2, version 2002. There is a CD-RW drive, but nothing else was installed. Basically, it's an OTS As-Is purchase for my sister, as she did not request any specific modifications (the tower is actually riveted onto the frame, so you cannot remove it to install anything without permanently damaging the metal). She is a "newbie" to the technical world. I am not such a newbie. I have a lot of experience in many different technical areas, but as far as fixing viruses of this malicious nature (not easily fixed with one or two simple removal tools), I want to be absolutely certain her computer is running up to spec and would appreciate a helping hand determining what the logs all mean, and if, as I might suspect, the virus(es) still exist after all the initial attempts to rid it/them off of her computer.

When I first got the pc, she had McCaffee AV sw installed, which kept telling her a specific error message anytime she opened IE (thought I had written down the exact error, but if so, I cannot locate it now, so I will attempt to recall the majority of what it said from memory): The error message said it blocked access to a particular file when opening IE and that file is C\Windows\System32\JKHHI.DLL, with a title of Trojan.Virtumonde, which was dedicated at the Elevated Risk level. Since first working with her pc, I ran a few of the tools I've located within TechSpot, and noticed those error messages quit appearing, but I knew the virus was still in tact, as her pc was still excruciatingly slow at doing any one thing. I kept open windows to a minimum of 3, but that still did not help matters much. I continued to scan through TechSpot, to see what everyone was discussing and ways to get rid of things, and also scanned through several other web forums, and did the easiest things first, then attempted to do the 15-step Preliminary Removal instructions. Throughout the process of each of the scans, I went from having 4 trojans (Trojan.AgentAOY, Trojan.Downloader.ConHook (both High Risk), Adware.Adsponsor (Low Risk), and lastly, Trojan.Virtumonde (Elevated Risk) down to just about nothing, but there are still some things leftover. As there were several different scans requested throughout this 15-step removal process, the items found decreased, and even went entirely away within a few of the software products, but the last two scanning items still found some minor items, which is the entire reason I would like someone who knows how to read the logs entirely to take a peek at them and tell me what they are seeing. I can gather a lot of information from these logs myself, but I do not know what might be good or bad and I am dead tired of working on this system now. I pray I can get this pc fixed this evening (good luck, right!) I do not want to keep my sister's pc too long, as she has school classes she attends online and will need this computer back ASAP. So please let me know your thoughts! Thanks much for your responses, in advance.

Panda Anti-Rootkit Scan Results: No Rootkits have been found. Items scanned: 3558.

I have attached the 3 requested logs, as instructed: HJT, Combofix, and AVG:

 

[stangpride]

UPDATE: Now my sister's Login Screen is being completely by-passed. I've read the key in the registry that might need changing, but as I do not mess with the registry too often, it would be helpful if someone would confirm the exact change I need to make. She had two users (and I will have to talk to her about the name and password choices, etc.), Administrator and Owner, where Owner is the name she signed in under. The Welcome page where you clicked on the user you wanted to use is now being by-passed. I "logged out", and noticed the Administrator login name was now missing entirely. Please advise which registry key will need corrected and what exact changes need to be implemented in order to change this feature back to normal. Thanks.

Oh, and as an FYI, I uninstalled McCaffee AV, and installed Norton Internet Security on this pc since I know how to maneuver around within that AV software and know its capabilities. It's better than McCaffee, but still not the first choice for user reviews. I have to try Trend Micro one day and see what its all about...I really liked what they had to offer within the 15-step removal instructions, but for right now, I had an extra license with my own NIS software and chose to install that on her machine rather than keeping McCaffee. I told her I was going to do this, as NIS is a lot better and more user-friendly (she will love that.)

 

[tomrca]

!. run hjt from prog files not desktop. uninstall go to servises and disable
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe

hjt fix O2 - BHO: {a73835a4-5b64-45a9-56d4-8089766dcc3e} - {e3ccd667-9808-4d65-9a54-46b54a53837a} - C:\WINDOWS\system32\qjdbegis.dll (file missing)
run smitfraud in safe mode and finally combofix
post fresh logs

 

[stangpride]

Dohhh...

Tomrca,

Thanks for pointing out I did not follow directions to a tee on that step...Dohhh!!! So much for my "do it right the first time" statement. LOL I will not be able to post a new log until I get back home today at 5:30 PM, as I am at work. If you find anything else in the meantime, please let me know. Thanks for the prompt response!

!. run hjt from prog files not desktop. uninstall go to servises and disable
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe

hjt fix O2 - BHO: {a73835a4-5b64-45a9-56d4-8089766dcc3e} - {e3ccd667-9808-4d65-9a54-46b54a53837a} - C:\WINDOWS\system32\qjdbegis.dll (file missing)
run smitfraud in safe mode and finally combofix
post fresh logs

 

[stangpride]

I would still like more help responses from other people. You can never have too many people reviewing logs and giving input.... Thanks!

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

Tomrca,

Here are the logs after the fixes you suggested. I've included only those logs from the software you instructed me to run/re-run. If you need AVG again, just let me know. Hope for help this evening and appreciate anyone who responds.

V/r,

SP

As an FYI, there was a HJT scan run when I began following instructions, and I ran it one more time at the end, since that will display the final settings of my sister's pc after the fixes were applied, which I figured would be helpful. Please let me know if any of these files still contain threats or software conflicts.

Thanks again, in advance!!!

 

[stangpride]

Still looking for assistance reading my logs. Thanks!

 

[momok]

Hi,

I need a HijackThis log from a scan in normal mode. Please post that in your next reply.

Meanwhile please do the following.

1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\BM532a204e.xml
   C:\WINDOWS\pskt.ini
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
   C:\WINDOWS\system32\qjdbegis.dll
   Folder::
   C:\WINDOWS\peernet
   C:\WINDOWS\provisioning
   Registry::
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3ccd667-9808-4d65-9a54-46b54a53837a}]

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post the resultant ComboFix log as well as the requested HJT log from the above instructions as an attachment into this thread.


Regards,
momok =)

This thread is for the use of stangpride only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[stangpride]

Latest Logs for Stangpride - 1-15-08

Hi Momok,

I have done as instructed and ran HJT in Normal mode, followed by dropping the CFScript.txt file on top of Combofix and let it run to completion. Here are both of my updated logs after this fix.

As a side note, Combofix insists on deleting a portion of my Norton Internet Security program, the Phishing Protection file: NCO_BHO.reg. I add that back into the registry after each time it disappears by clicking on that file within the Program File, but Combofix seems to think it is malware. Is this file corrupt or something?

Also, my sister's pc is still bypassing the Windows Login screen altogether. I know a registry key needs fixed, but do not know what I need to do to fix that particular key. Would you mind letting me know how to do that, as well?

Thanks so much for all your help! I look forward to your review.

 

[momok]

Hi,

Please navigate manually to these two folders and delete them.

C:\WINDOWS\peernet
C:\Documents and Settings\Owner\Application Data\Viewpoint

Could you try resetting your user account password from the administrator account? See HERE.

Regards,
momok

 

[stangpride]

Next Set of Directions and Missing Windows Logon Screen 1-16-08

Hi Momok,

I have some private information about the logon screen I do not want the whole world able to access via this forum. Would you please send me a personal note and I will explain there.

Also, for verification of the next requested action, am I supposed to manually delete those two strings within Windows Explorer, or via HJT, or what, specifically? After that, will you require new logs? You did not mention that part.

Thanks again!

UPDATE: My sister needs her desktop back NLT Friday this week...so two more days.

 

[stangpride]

Alright Momok,

I chose to do this request through Windows Explorer since you were not able to post a response today sometime while I was at work. I do want to mention, however, that Viewpoint was a media player and I am worried that this media player was something my sister might have needed for college. I had to delete everything from the subfolders before deleting the main folder, but I got 'er done.

As for peernet, the folder was already empty, but even when I tried deleting it, I was told it is in use by some other program and that it could not be deleted. I only have two IE windows open right now, so I will close out of them and try again. If I am still not able to do so, I will look through task manager and see if anything else running is a part of this particular folder and stop that process, then delete it. My concern with this folder is that its a legitimate Peer-to-Peer networking folder for Windows, and did not fully understand why I'd need to delete it. I understand that malware can put folders in places they do not belong, so I will go ahead and follow what I was instructed to do here.

I still do not know if you need any more logs at this point and considering the time difference for where we both are, I am certain I will not hear anything until tomorrow for me here. I do know I am running out of time to get this computer fixed. I have until Friday evening and since I will not be home that evening, before late, I doubt I will get online at that point to determine anything else that needs to be done. I pray these two fixes finish what I need to do to resolve this infection; otherwise, I might need to upset my sister and tell her I have to keep her pc even longer and that will not go over very well with her going into the second week of classes already without her pc.

Please advise if you need more logs, and what else I need to do to finish this project.

I sincerely appreciate all you've done for helping me thus far and hope you have a good day over there! For a young person, you are very intelligent. Thanks again for taking time out of your busy day and helping me throughout meeting all your other obligations. I look forward to your next post. I may come back with more logs, just for the sake of doing them and not waiting to be told they are/are not needed.

V/r,

SP

 

[stangpride]

HJT Log from 1-16-08 and Updated Missing Welcome Screen User Account Logins

Here is my updated HJT log, in case its needed. I did not see any posts requesting them, but I'm sending it anyway. I would like to know if this pc is still infected with anything, if you can deterimine that from this log.

UPDATE: I could only delete Peernet folder after going into Safe Mode, and now that I'm logged back into Normal Windows, that same empty Peernet folder is there again. So I guess either this pc is still infected with spyware, or else this is a needed file by Windows XP OS.

Also I'd still like help with the missing user Icons on the Welcome screen, which is still automatically being bypassed at startup. The pc goes directly into the desktop without stopping at user accounts to click on any icon. I've noticed that these icons are there when I start this pc in Safe Mode, but they disappear otherwise. There has got to be an easy fix for this problem; some system setting, configuration, or whatnot. I believe Combofix created this issue, as its created a couple other minor irritations. I've researched this and researched this without any luck finding what I need. Going into User Accounts, you can see the checkboxes are checked for logging in with user accounts, but it does not happen in Normal bootup mode, so this tells me there is some system setting causing this problem. Passwords work in Safe Mode and I do not have to hit CTRL-ALT-DLT to see the icons because they are already visible, so it is not a password or hidden icon issue. Those are the only logs I've been able to find on this topic thus far. If anyone out there can help, I'd greatly appreciate it.

 

[momok]

Hi,

Sorry I've been extremely busy. That log is definitely clean; and no worries about the peernet folder.

It does seem strange that you get the log in screen for safe mode but not normal mode. When you boot up via normal mode, are you automatically in the administrator account? If you are, are you able to enter the "user accounts" in control panel? Try resetting the checkboxes from there.

If you discover that you are in the created user account (ie, your sister's standard user), press ctrl+al+del to change to the administrator account and reset the password for your sister's standard account.

Regards,
momok

 

[stangpride]

Thanks for all your help, Momok!

Hi Momok,

I hope you don't feel I was criticizing your inability to answer quickly; I was only trying to point out that I understand your reasons for not being here. I am sorry if you read that in the wrong way. I will review what I wrote and try to learn a better way to say things, if you thought I was criticizing you at all. I understand the volunteer nature of forums completely. Therefore, there was no need to apologize. I feel badly that you might have taken my words wrong.

Thank you so much for helping me out. I know you were very busy with real life activities and took time out of your busy day to assist me promptly. I understand how it feels not to have enough time in the day to get everything done you would like to do (I work with pcs at my job all day long, then for the past 5 days, I would come home and immediately jump into working on my sister's desktop, so yes, I know full well how it feels to be too tired for keeping up with forums.) I am learning still, and I learned quite a bit from these forums in my research to resolve my sister's issue. I know I will be a frequent flyer here, as I've already starting helping others in problems I know how to solve. I hope to learn the difference between required files and folders on Windows versus unnecessary items and malware, but that will come in due time.

As for the user account that is automatically signed in, it is my sister's personal account and not the administrator account. She never had a password setup on her user account previously, but you still had to at least click on the icon to get beyond the Welcome screen before Combofix was run on the pc. Now, it just goes straight to her Desktop, bypassing the icon screen any time you boot the computer. As an FYI, her computer has not been connected to the internet unless I was personally working with it, so it really was not too big of an emergency to correct this problem, but I will discuss the risks this creates when I give back the tower this weekend and then I will go through the steps for correcting this matter with her one on one. Please see personal message for more details related to this issue.

Anyway, thanks again for all your help! Have an excellent day!

V/r,

SP

Quick question...if the peernet folder was empty when I deleted it in Safe Mode and it reappeared empty in Normal mode, what purpose it that folder serving? My guesstimation is its an OS file that is needed, so I should leave it alone?

(Moderator edit: There is no need to quote a post directly above yours when replying.)

 

[momok]

Hi,

No problems =)

Regarding the peernet folder, I've been researching a little the past few days.
The closest clue to what it may be for is this -> http://support.microsoft.com/?kbid=817778 I would believe it's not entirely needed, but there's not harm leaving it there either.

I think I've found what could have been the cause of the login screen bypass. Under HERE, it states that

The Guest account is not relevant when Windows determines if there is only one user without a password. If there is only one user registered on the computer, the "Welcome" logon screen is not displayed before the account is logged on...... To work around this behavior, either add a second user to the computer or create a password for the user account. This prevents the account from being logged on automatically.

Hope that helps solve your problem. May I add that I'd recommend setting up a standard account (non-administrator) as this helps keep the system more secure to malware infections and your system files safe from unauthorised attacks (ie, deletion, modification).

PS. If you're looking to learn about malware, you can check out the online Malware Removal University.

Regards,
momok

Edit: Thread closed as the problem appears to have been resolved. Should the original starter require it to be reopened, please PM a mod.