Trojan.Virtumonde - Can't get rid of it

[Radian444]

Hello Everyone,

Working on an infected client's machine. Performed all of the steps listed in the "Viruses/Spyware/Malware, preliminary removal instructions" and ran all of the tools and Trojan.Virtumonde keeps showing back up.

Attached are my hijackthis, AVG Antispyware, VundoFix and Combofix log files. The Panda Antirootkit didn't find any unknown rootkits. By the way I already updated to the latest version of Java 6 version 3.

There are no longer any symptoms or popups occuring on the machine, but I'm worried that the Trojan.Virtumonde will open ports and start downloading additional files to the computer. Any help would be greatly appreciated.

My best guess based on the hijackthis log would be the three entries: wpkggnlt.dll, awtqq.dll, and nixhevgv.dll, but I haven't used HijackThis and don't want to screw something up.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\wpkggnlt.dll
C:\WINDOWS\system32\nixhevgv.dll
C:\WINDOWS\system32\wjpuxrcm.dll
C:\WINDOWS\system32\djnwfhtb.dll
C:\WINDOWS\system32\ygglnnqq.dll
C:\WINDOWS\system32\gxgukcxe.dll
C:\WINDOWS\LMIB.tmp
C:\WINDOWS\system32\bcgboyvo.exe
C:\WINDOWS\LMI21.tmp
C:\WINDOWS\system32\tbstakbn.dll
C:\WINDOWS\system32\rthyhxqa.dll
C:\WINDOWS\system32\dgfpuxtg.dll
C:\WINDOWS\system32\uxfayema.dll
C:\WINDOWS\system32\xnxaighb.dll
C:\WINDOWS\system32\hiadwvil.dll
C:\WINDOWS\system32\iifffee.dll
C:\WINDOWS\system32\wvuuron.dll
C:\WINDOWS\system32\xxywtrr.dll
C:\WINDOWS\LMI4.tmp
C:\WINDOWS\system32\gebca.dll

Folder::
C:\VundoFix Backups
C:\qoobox
C:\PROGRA~1\MYWEBS~1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d47678bb-ed69-4b3c-a39f-5ca0bd81b949}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c3ea17a"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywtrr]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebca.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c3ea17a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Radian444]

Thanks for the quick reply!

Thank you for the quick reply. I lost remote access to the computer, but will perform the instructions you listed tomorrow and attach the new HiJack This log file. By the way the LogMeInRescue entry is for the software that we use to connect remotely.

 

[howard_hopkinso]

Ok, no problem.

I have removed the Logmeinrescue from the script. That`s one very badly infected system you have there.

Regards Howard

This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Radian444]

Attached are the latest combofix and HJT logs.

Thanks for the help

 

[howard_hopkinso]

It appears you`re running two AV programmes, Yahoo and Symantec/Norton. This is not recommended, will slow your system down and can cause serious conflicts. I suggest you uninstall one antivirus programme.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\gnsgpeen.dll
C:\WINDOWS\system32\noiavhle.dll
C:\WINDOWS\system32\nqksxpyi.dll
C:\WINDOWS\system32\awtqq.dll
Folder::
C:\qoobox
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33c11fbc-31b7-40c1-a6a1-ae9755034564}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Regards Howard

This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Radian444]

Disabled Yahoo Antivirus in msconfig. Here are the new combofix and hijackthis log files.

Thanks again

 

[howard_hopkinso]

That all looks pretty clean.

I still recommend you uninstall one AV programme.

Delete the following bold folders/files.

C:\qoobox
C:\fix.reg
C:\WINDOWS\LMI2A.tmp
C:\WINDOWS\LMI4.tmp
C:\WINDOWS\LMIB.tmp
C:\WINDOWS\LMI21.tmp

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Radian444]

Ran another scan of Spybot S&D and this time it didn't find the Virtumonde infection! Thanks again!

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.