Here are the steps I took.
1.Spybot picked up a few attempted registery changes, that my wife allowed (gaaaah!!)
2.Ran hijackthis as scannow.exe and fixed obvious errors.
3.Attempted to use Vundofix to remove 2 files that are associated with Vundo that were not picked up by the Vundofix scan. (C:\Windows\System32\vturq.dll & C:\Windows\system32\iiffffc.dll) I found these by the allowed registery changes in spybot. VundoFix could not remove these. When it tried I got a lsass.exe error.
4.Installed GiPo@utilities to remove the files at reboot and it could not remove them. (or if it
did they came back)
5.Found the unknown file in my winsoc (C:\Windows\System32\nwprovau.dll) that hijackthis found
and moved it and renamed it. When I rebooted it came back.
6.Looked at spybot in my BHO list and found the vturq.dll running as a BHO. Deleted it but it
just comes right back. Spybot has it listed in my white list and I am not sure how to remove it
I went to settings in the teatimer tray and went to allowed registery changes. I deleted the
one that I thought was it but it just came back.
7.Decided to do all the steps and ask for help.
8.Turned off SystemRestore and rebooted in safemode (minmal)
9.Ran ATF cleaner
10.Ran CCcleaner
11.Ran CleanUp!
logged off then back in to finish cleaning (still in safe mode minimal)
12.Ran AVG Anti-Spyware
Complete System Scan
-0 files found
(rebooted in safe mode inimal)
13.Ran Ad-Aware
Full System Scan
-2 MRU tracking cookies found
Deleted files
(rebooted in safe mode minimal)
14.Ran Spybot
Virtumonde found!
*HKEY_USERS\S-1-5-21-299502267-1659004503-839522115_1003\Software\Microsoft\aldd
*HKEY-LOCAL_Machine\SOFTWARE\Microsoft\aoprndtws
*HKEY_USERS\S-1-5-21-299502267-1659004503-839522115_1003\Software\Microsoft\rdfa
fixed problem
(rebooted in safe mode minimal)
15.Ran Spybot again
-0 Files found
(rebooted in safe mode minimal)
16.Ran Spyware Doctor
Full Scan
-Trojan.Virtumonde (7 infections)
*Process
explorer.exe(C:\WINDOWS\system32\vturq.dll)
lsass.exe(C:\WINDOWS\system32\vturq.dll)
*File
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
*Registery Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
\{D32B0BB6-16DE-4E6D-BE24-4C813934A181}
-Trojan-PWS.Tanspy (1 infection)
*Registery Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\load
Deleted Files
(rebooted in safe mode minimal)
17.Ran Spyware Doctor again
Full Scan
-0 Files Found
(reboot in safe mode minimal)
18.Ran ZoneAlarm spyware scan
Deep-System Scan
-0 Files Found
(rebooted in safe mode minimal)
19.Ran Symantec AntiVirus Scan
-0 Files Found
(rebooted in safe mode minimal)
20.Ran Trojan Remover
-0 Files Found
(rebooted in safe mode minimal)
21.Ran Trojan Hunter
Full Scan
-0 Files Found
(rebooted in safe mode minimal)
22. Ran Mcafee's Stinger
-0 Files Found
(rebooted in safe mode w/networking)
23.Ran Kaspersky's Online Scanner
Full Scan
-1 File Found
C:\Windows\system32\iiffc.dll
No Action Avaliable
(rebooted in safe mode w/networking)
24.Ran TrendMicro's Online Scanner
-1 File Found
C:\WINDOWS\system32\Process.exe
(rebooted in safe mode w/networking)
25.Ran Killbox to delete iiffffc.dll
delete failed
26.Ran Killbox to delete iiffffc.dll on reboot
log says delete failed, however the file is gone.
(reboot in safe mode with networking)
27.Ran SmitFraudFix
(reboot in safe mode with networking)
28.Ran VundoFix
-0 Files Found
(reboot in safe mode with networking)
29.Ran VirtumundoBeGone
-0 Files Found
(reboot in safe mode with networking)
30.Ran ComboFix
-17 Files Moved To the QooBox
*14 in BackEnv
*3 in Quarantine
(reboot in Normal)
31.Ran TrojanRemover
-7 Files Found
*Key=catchme
ImagePath=\??\C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys - this reference has been removed
C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys - unable to take ownsership/change permissions
C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys has been marked for renaming when the PC is restarted
*C:\WINDOWS\system32\gebya.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
C:\WINDOWS\system32\gebya.dll - this Browser Helper Object was being loaded by the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{49D65A19-D87B-4890-88DE-B8F78F27BEFB} - this key has been removed
C:\WINDOWS\system32\gebya.dll - this Browser Helper Object was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{49D65A19-D87B-4890-88DE-B8F78F27BEFB} - this key has been removed
C:\WINDOWS\system32\gebya.dll has been renamed to: C:\WINDOWS\system32\gebya.dll.ren
This file will also be marked for renaming during PC restart, in case it is re-created
*aybeg.ini, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\
C:\WINDOWS\system32\aybeg.ini - has HIDDEN attribute set
C:\WINDOWS\system32\aybeg.ini - HIDDEN attribute removed
C:\WINDOWS\system32\aybeg.ini - has SYSTEM attribute set
C:\WINDOWS\system32\aybeg.ini - SYSTEM attribute removed
C:\WINDOWS\system32\aybeg.ini has been renamed to: C:\WINDOWS\system32\aybeg.ini.ren
*aybeg.bak1, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\
C:\WINDOWS\system32\aybeg.bak1 - has HIDDEN attribute set
C:\WINDOWS\system32\aybeg.bak1 - HIDDEN attribute removed
C:\WINDOWS\system32\aybeg.bak1 - has SYSTEM attribute set
C:\WINDOWS\system32\aybeg.bak1 - SYSTEM attribute removed
C:\WINDOWS\system32\aybeg.bak1 has been renamed to: C:\WINDOWS\system32\aybeg.bak1.ren
*C:\WINDOWS\system32\ddccd.dll - appears to contain ADWARE.VIRTUMONDE (HEURISTIC DETECTION)
C:\WINDOWS\system32\ddccd.dll - this Browser Helper Object was being loaded by the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{D53B2CA8-BB47-4285-A887-D35609903605} - this key has been removed
C:\WINDOWS\system32\ddccd.dll - this Browser Helper Object was referenced by the following key:
HKEY_CLASSES_ROOT\CLSID\{D53B2CA8-BB47-4285-A887-D35609903605} - this key has been removed
C:\WINDOWS\system32\ddccd.dll has been renamed to: C:\WINDOWS\system32\ddccd.dll.ren
This file will also be marked for renaming during PC restart, in case it is re-created
*dccdd.ini, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\
C:\WINDOWS\system32\dccdd.ini - has HIDDEN attribute set
C:\WINDOWS\system32\dccdd.ini - HIDDEN attribute removed
C:\WINDOWS\system32\dccdd.ini - has SYSTEM attribute set
C:\WINDOWS\system32\dccdd.ini - SYSTEM attribute removed
C:\WINDOWS\system32\dccdd.ini has been renamed to: C:\WINDOWS\system32\dccdd.ini.ren
*dccdd.bak1, associated with Adware.VirtuMonde, found in C:\WINDOWS\system32\
C:\WINDOWS\system32\dccdd.bak1 - has HIDDEN attribute set
C:\WINDOWS\system32\dccdd.bak1 - HIDDEN attribute removed
C:\WINDOWS\system32\dccdd.bak1 - has SYSTEM attribute set
C:\WINDOWS\system32\dccdd.bak1 - SYSTEM attribute removed
C:\WINDOWS\system32\dccdd.bak1 has been renamed to: C:\WINDOWS\system32\dccdd.bak1.ren
(rebooted in normal)
32.Ran TrojanRemover again
-0 Files Found
So I Think I Might Be Clean. I ran HijackThis (renamed it as scannow.exe) and viewed the log on Hijackthis.de I seem to appear to be clean. Can anyone verify this?
I am worried that the log shows no O20 entries as I know I have BHOs installed
Also can I delete the QooBox folder generated by ComboFix as well as the C:\Combofix folder that was created when I ran the program?
I was reading on the VundoFix site about how they encountered vundo that had hooked itself onto lsass.exe rather than winlog.exe
I believe that is the same problem I got. When I entered vturq.dll into VundoFix and tried to remove it I got a lsass.exe error.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:35, on 2007-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hijackthis\scannow.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.cafepress.com
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160458304640
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} -
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5135/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7162 bytes