Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter #1
Can anyone verify whether I've managed to remove Winfixer/Virtumundo?

I first saw Winfixer symptoms through IE. Never had a problem with Firefox, fortunately. I ran Spybot and Adaware, but they found nothing. Finally when I ran VirusScan it reported Virtumundo in efeca.dll. I could not remove this file, or clean it.

I then ran through the steps I found here (modifying file names to detect efeca):
http://www.techsupportforum.com/showthread.php?threadid=70493

Basically I...
- Installed and ran HijackThis.
- Verified efeca.dll appeared in log.
- Installed VundoFix, ran in safe mode against:
c:\windows\system32\efeca.dll
c:\windows\system32\acefe.*​
- Used HijackThis to fix items.
- Rebooted.
- Ran CleanUp.
- Ran Panda ActiveScan.

Here's the VundoFix log I wound up with:

====================================================================
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\efeca.dll

The second filepath entered was C:\WINDOWS\system32\acefe.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 200 'smss.exe'

Killing PID 1688 'explorer.exe'
Killing PID 1688 'explorer.exe'


Killing PID 276 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\efeca.dll Deleted sucessfully.
C:\WINDOWS\system32\acefe.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
====================================================================

Even after all this, ActiveScan reported spyware (though VirusScan thinks my system is clean now). Here's the ActiveScan log:

====================================================================
Incident Status Location Spyware:spyware/virtumonde No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\QUARANTINE\ifm[1]
====================================================================

And here's my latest HijackThis log, validated by KRC HijackThis Analyzer.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:32:36 AM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\XIMETA\NetDisk\LDServ.exe
C:\WitnessSystems\eQualityApplicationServer\bin\witappsvc.exe
C:\WitnessSystems\eQualityApplicationServer\bin\jre\bin\java.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\Updater.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Program Files\Evals\HijackThis AntiSpyWare\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\efeca.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\Evals\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RoboPDF] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ANR] C:\Program Files\Evals\Audio Notes Recorder\ANR.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Rogers Desktop TXT.lnk.disabled
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XIMETA\NetDisk\Admin.exe
O4 - Global Startup: SnagIt 5.lnk = C:\Program Files\TechSmith\SnagIt\SnagIt32.exe
O4 - Global Startup: Vonage Softphone.lnk.disabled
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Visio\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://connect.witness.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {91CF225C-A39A-4FD0-8836-5E40C8D2C71C} (URLToFile Class) - http://plichtenwalner/witness/apps/replay/ie5/1.0/DownLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - http://witskb/Worksite/bin/iManFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://witness.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = US.Witness.com
O17 - HKLM\Software\..\Telephony: DomainName = us.witness.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A73F2649-1745-4268-AF6F-42EBBD1B0A6E}: NameServer = 204.101.251.1,204.101.251.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = US.Witness.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = US.Witness.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: efeca - C:\WINDOWS\System32\efeca.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LANSCSI Helper Service (LanScsiHelper) - XIMETA, Inc. - C:\Program Files\XIMETA\NetDisk\LDServ.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: eQuality Application Services (witappsvc) - Unknown owner - C:\WitnessSystems\eQualityApplicationServer\bin\witappsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================​

Is ActiveScan right -- are Virtumonde or Winfixer still on my system? If so, how can I eliminate them for good?

Thanks for your help!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hi & welcome to TSF.

~~~~~~~~~~~~
Incident Status Location Spyware:spyware/virtumonde No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\QUARANTINE\ifm[1]
~~~~~~~~~~~~


Let's intepret what Activescan is saying.

It says that there's an infected file in C:\QUARANTINE\ifm[1].
That looks to be right since that is the designated folder for keeping quarantined infections.
If you feel uneasy about it, you can navigate to that folder & delete it.


It also reports that you have Virtumonde in your registry. That is also correct. HijackThis is reporting some orphaned entries from your Registry.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\efeca.dll (file missing)
O20 - Winlogon Notify: efeca - C:\WINDOWS\System32\efeca.dll (file missing)


Launch HiJackThis & place a check next to the above items and select "Fix checked"


That should be the end of your worries. :grin: Let me know if it isnt so.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top