Massively infected viao: virtumundo, eraseme.exe, and more

[thorsdecree]

My friend's computer is very severely infected by multiple viruses including virtumunde and eraseme.exe. I went through the 15-step procedure and found a few things, but I doubt it's all of it. I'm posting the HJT log and combofix log.

Any help appreciated; the problem is still here. There's a dir in documents and settings called 'valued customer' which contains eraseme.exe. There is no 'valued customer' user account, it might have been removed long ago or it might have never been a user, but we think it is the first case. I will remove eraseme.exe it with a linux livecd as soon as possible, but that can't be until tomorrow at the earliest. Thanks for the help!

 

[FaCt0R]

Im not the best at this but i do understand how to read a hijackthis file so start by fixing these entries with hijackthis

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O3 - Toolbar: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

O4 - HKLM\..\Run: [Windows Console] wkssvc.exe


O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Valued Customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O20 - Winlogon Notify: mopwvpgk - mopwvpgk.dll (file missing)

 

[thorsdecree]

thanks, will do. I can't do that till late afternoon tomorrow or next day even, but she'll be glad to hear someone's helping. I haven't had to deal with vundo in a while and her system is sooo messed up. Thanks for the help and we'll see what that does. Also, would you suggest getting rid of eraseme.exe the LiveCD method or is it known to inhabit some other place, too?

 

[FaCt0R]

Go to http://virusscan.jotti.org/
Browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

To get rid of them download http://www.theabsolute.net/sware/files/deletedr.exe
alternate site.
After download, double-click on it to start and browse to the location of the files you want to delete. Choose Delete file on System Restart.


It may recreate its self not really 100percent sure but try this anyway

 

[thorsdecree]

Alright, will do. I might be able to do this tomorrow, but might not; I'm leaving town shortly after school's out. I'll post progress then, after running a HJT cleanup and DeleteDR.

My friend said that at least part of it may be fixed; she hasn't had any random viral messages sent through her MSN account so far, which was a big problem before.

Thanks

 

[kritius]

Here are a few more to delete, some of them have been mentioned,

C:\WINDOWS\wkssvc.exe
O3 - Toolbar: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [WinDLL (svc.exe)] rundll32.exe C:\WINDOWS\system32\svc.exe,start
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Valued Customer\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: mopwvpgk - mopwvpgk.dll (file missing)

You also need to go HERE and follow all the steps exactly as instructed.

And get some antivirus and a firewall immediately.

 

[thorsdecree]

I have NOD32 installed on her computer, will install ZoneAlarm once we get these things sorted out. Right now the main focus is removing all the viruses. I'm going to delete everything in 'Valued Customer' next chance I get; I'm out of town until Sunday.

Until then I told her just to leave everything alone... she decided to delete some random dll's earlier >.< thanks for all the suggestions, I'll perform them and reply asap.

And, @ above, I already followed the 15 steps, and that cleaned up some of the problem but not all of it.

 

[Blind Dragon]

Don't remove this entry, it is legit because it is in the sys32 folder. if was just in windows folder then you would have an issue
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Also see SDBOT infection on there. So you don't want to simply remove this from Hijackthis
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe

 

[FaCt0R]

thanks for helping me out on that. Like i said im not a professional.

I looked up the userinit and it said it was a worm? but id listen to blind dragon hes better at this then me

 

[Blind Dragon]

entry commonly found in F2 is the UserInit entry which corresponds to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit which is found in Windows NT, 2000, XP and 2003. This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

***So basically if it was in a different folder other than the %system% folder then it would be bad, or if there is another program attached to load after userinit

nddeagnt.exe is ok to have attached after userinit also

 

[thorsdecree]

K, will do as suggested. The trip's been postponed so I will get a chance to work with her computer tonight. I'll do what you guys said here and post back. Thanks.

 

[thorsdecree]

OK I did as you said, here's the log
And, Drag, about the SDBOT infection. You meant not to remove that key with HJT, right?

 

[kritius]

It wont just get removed by HJT you would have to manually remove it.

 

[thorsdecree]

should i perhaps do a system restore to about 2 month ago then delete al the restore points?

[edit]

no restores, i removed them last week :\. i'm rm'ing some stuff with gentoo linux livecd right now, i'll post back with any progress.

 

[Blind Dragon]

I was simply saying not to remove the F2 entry with HIjackthis as it is a normal system file.

 

[thorsdecree]

i'm also seeking help here

http://www.hellboundhackers.org/forum/viewthread.php?forum_id=32&thread_id=11767#100148

I've been a member there for about a year ^^ and it has some of the most helpful people I've ever met. I'll still be following up here, though, so if you have anything to suggest, please do so. Thanks for the help through now; korg has never let me down, he's the best windows user , along with Zephyr Pure, I know. Reinstalling is NOT an option; he's taught me that.