Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde (and Others?) Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 stellabelch

stellabelch

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Midlands
  • Local time:04:28 PM

Posted 20 August 2008 - 05:15 PM

Hi to all, never got beyond intro last time, forgot all my logon stuff, anyway, I hope to be saved by someone who knows what they are doing unlike myself. I have recently had my PC repaired at my local shop , having a new HD fitted and partitioned; the old drive was left in also wth all my old stuff on; also 2gb memory fitted and up to now has been fine. However my 16 yr old stepson (again) was caught on sites that I have told him to avoid, (BitTorrent) .
Because he was being so shady I never got to see exactly what happened; I can only surmise that AVG may have detected a threat but he chose to ignore it as I would find out he had used said sites (it was Limewire etc last time) I ran a spybot scan which discovered a total of 8 or 10 entries of a trojan called Virtumonde; subsequent inquiries have led me to the conclusion this is a bad one. Despite being removed by Spybot, it keeps returning or at least a small portion is hanging in there. I am using a laptop at the moment as I do not want to go online with the main pc.Even with the modem disconnected if I try to get Google up, another window also appears with a series of numbers in the browser.
I am currently about to try the Hijack this route; Adaware 2008 has cleared some threats but a lot of cookies left; unfortuneatly it froze and was unable to remove everything.I noticed a WLLoginProxy.exe in the task manager , is this significant? I also tried System restore but there were no dates prior to the day I was on. Anyway, I have followed the guide as best as I can, have had to do it offline so no updates, hope it'll be ok. Have now tried Hjackthis and enclose the logfile:
(I hope this insert works)

Attached Files



BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:11:28 AM

Posted 21 August 2008 - 08:06 PM

Hello stellabelch

Welcome to the Bleeping Computer Malware Removal Forum, You do have a bit of a mess going on, lets do a few things. Please do not attach any logs or reports, just paste them in

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [BMa36a71db] Rundll32.exe "C:\WINDOWS\system32\lbwdghcb.dll",s G
O4 - HKLM\..\Run: [a0594247] rundll32.exe "C:\WINDOWS\system32\ouajrosp.dll",b

O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)



Go to your Add Remove Programs in the Control Panel and uninstall MyWebSearch



REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"


Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this Posted Image




Reboot your system and run Malwarebytes

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Edited by ken545, 21 August 2008 - 08:06 PM.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:11:28 AM

Posted 05 September 2008 - 02:00 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users