Virtumonde & Windows Login LOOP

[OuterRem]

Summary: I visited I site that I should have known was questionable, and ended up with some file on my computer that self-executed. I did a spybot update and search, but just as the search was finished and I attempted to clean the 12 some adware/malware that showed up, Symantec (I have the full version from school) popped up, interrupted the cleaning, and caused my computer to freeze. I did a hard restart and...

Now my computer logs off as soon as I log in, the background shows up, it says windows is starting, then abruptly begins logging off and saving window's current settings.

I managed to start in safe mode, and use spybot to clean EVERYTHING BUT VIRTUMONDE, then I started in safe mode with networking, and downloaded hijack this to that computer (I'm using a different one to post), however my computer was immediately reinfected with things like MalwareAlarm, etc.

I cleaned them again, made another HijackThis log, and found that I could no longer connect to the internet on that computer, and I am unsure of whether I can transfer that log to this computer without risking infection on this one.

If I could just boot up the computer regularly, as opposed to safe mode, I could surely post it.

--------------------------------
AS SOON AS I CAN GET THE FILES OVER OR LOG IN SUCCESSFULLY, I WILL POST THE HijackThis! Log. As for Kapersky, it failed after my internet connection died out, but I will definitely try it as well.

[OuterRem]

It should be noted that I have no floppy disks or flash drives. I will be buying one in a few hours.

Likewise; http://www.winxptutor.com/wsaremove.htm

That fix, when done from safe mode, did not fix my problem.

I DO HAVE HIJACKTHIS! LOGS, I JUST LACK ANY WAY TO PLACE THEM ON THIS COMPUTER OR THE INTERNET.

[OuterRem]

HIJACKTHIS LOG FOLLOWs::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:01 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oefexblb.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] H:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [bload] C:\WINDOWS\system32\bload.exe
O4 - HKLM\..\Run: [98febd22] rundll32.exe "C:\WINDOWS\system32\osajyrny.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA2127] command /c del "C:\Documents and Settings\Sabin Jacob\Local Settings\temp\winlogon.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4546] cmd /c del "C:\Documents and Settings\Sabin Jacob\Local Settings\temp\winlogon.exe_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Seol] "C:\DOCUME~1\SABINJ~1\APPLIC~1\F?Ints\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Vrou] "C:\Program Files\Common Files\?ecurity\s??oolsv.exe"
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\oefexblb.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4162] command /c del "C:\Documents and Settings\Sabin Jacob\Local Settings\temp\winlogon.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3369] cmd /c del "C:\Documents and Settings\Sabin Jacob\Local Settings\temp\winlogon.exe_tobedeleted"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

[OuterRem]

O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O15 - Trusted Zone: http://arad.hangame.co.jp
O15 - Trusted Zone: http://id.hangame.co.jp
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169092947375
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pu...r/arad_dis.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6245 bytes

[OuterRem]

I did not intend for it to be word wrapped. My apologies, I am rushing because I fear my internet connection will be terminated any second, as it was yesterday.

I am currently operating in Safe Mode with Networking.

[OuterRem]

I was not able to procure a Flash Drive to ferry files back and forth, but I may be able to have temporary internet connectivity on the infected computer, though it will be sporadic. So I should be able to download whatever programs are necessary for Virtumonde's removal.

Also the Recovery provided by the Windows XP CD did not allow me to end the Windows LOGIN LOGOFF loop.

----------------
If there is ANY information I need to provide that I have not yet provided, other than Kapersky Online Scanner (which I can't stay online long enough to access), please let me know I will gladly provide it.

[OuterRem]

O4 - HKLM\..\Run: [bload] C:\WINDOWS\system32\bload.exe

Identified as Trojan.Win32.Pakes

However it should be noted that I run a custom .msstyle over my regular windows GUI. So it could be the legitimate one, just, the name is wrong. I don't have Stardock's WindowBlinds program though.

http://www.bleepingcomputer.com/startups/

O4 - HKLM\..\Run: [98febd22] rundll32.exe "C:\WINDOWS\system32\osajyrny.dll",b

Not found in bleepingcomputer database.

O4 - HKCU\..\Run: [Seol] "C:\DOCUME~1\SABINJ~1\APPLIC~1\F?Ints\regedit.exe" -vt yazb

Not found in bleepingcomputer database.

O4 - HKCU\..\Run: [Vrou] "C:\Program Files\Common Files\?ecurity\s??oolsv.exe"

Not found in bleepingcomputer database.

O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\oefexblb.exe/

Not found in bleepingcomputer database.

------------------------------

O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll

I installed Easy2Game to play a foreign game with large nation wide IP Bans of the U.S. That's why this is in the Layered Services Provider. I don't use it so if it makes any difference, it doesn't matter if this is removed. (I use a VPN instead.)

---------------------------------

O15 - Trusted Zone: http://arad.hangame.co.jp
O15 - Trusted Zone: http://id.hangame.co.jp

This is that foreign game, Arad Senki, the exe for this game is activated by ActiveX controls from the website, so I personally added it, and the Registration section of the website to my Trusted Zone. Hangame is the company that makes this game.

O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pu...r/arad_dis.cab

This is the ActiveX launcher for the Game's .exe file.

------------------------
I hope this information is of use for identifying any of the strange things that showed up that some people actually put on their system intentionally, me being the example.

[OuterRem]

http://www.bleepingcomputer.com/forums/topic114402.html

I am currently recieving help at these forums. I wish to let you know that my case is being handled.

Regards,
-Rem.

[pskelley]

We appreciate your letting us know, you may want to look at the directions for posting here:
http://forums.spybot.info/showthread.php?t=288

Thanks