First attempt - malware hopefully removed: Virtumonde, Smitfraud

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ithryn, Jul 28, 2008.

  1. ithryn

    ithryn Private E-2

    I'm working on my in-laws' 1.5 gHz computer which says it has 448MB of RAM (can that be right?). Over the years I've been periodically attempting to remove the malware and viruses it has accumulated, but never successfully. No backups and no clean System Restore points. No firewall. It has AVG7, Ad-aware 2008 and Spybot.

    Problems with the system: slow program loads (my PC is even older than this one but works much faster), slow webpage loads, unable to load more than one webpage at a time (if you try to load two tabs at once, it immediately fails the second one). Ad-aware would occassionally find massive amounts of things, and Spybot would always find Virtumonde and Smitfraud.

    Now I found the guide (the READ ME FIRST guide). Holy cow! So I went through all the steps. There are two SAS logs because I accidentally ran a Quick Scan the first time around. Do I look clean?

    I haven't even rebooted yet, but the system is much zippier and I just loaded three tabs at once. I'm assuming I'm clean, but I'll run one of the scanners again to see. Let me know what you think. Additionally: I've loaded SpywareBlaster's protections, updated all the malware removal tools, and installed Comodo BOClean. I'll be installing Outer Armor when I close this window.

    Also: how do I make sure that AVG (and, I suppose, BOClean) load for every user? They seem to be only loading for my username, but there are three others on this PC.

    Thanks to the site admins for the great guide! Very informative.
    Chris
     

    Attached Files:

    ithryn, Jul 28, 2008
    #1
  2. ithryn

    ithryn Private E-2

    Part 2: First attempt - malware hopefully removed: Virtumonde, Smitfraud

    More logs.

    Chris
     

    Attached Files:

    ithryn, Jul 28, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!



    We need to use ComboFix to remove a few registry entries.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 29, 2008
    #3
  4. ithryn

    ithryn Private E-2

    So I came back to this computer to run what you told me to do, and I did notice a big slowdown from the other day! Slow boot, slow loading (especially of Online Armor). I disabled the firewall and BOClean, BTW, before running these things.

    I ran your script in Combofix with no problems that I saw.

    I ran fixme.reg and it notified me that it was entered successfully.

    Ran CCleaner.

    Ran the MG log generator.

    Logs attached.

    The computer seems to be working well again - when Combofix rebooted, the boot time was much speedier and programs seem to be responding better. What do you think?

    Thank you so much for this help,
    Chris
     

    Attached Files:

    ithryn, Jul 31, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The fix did not work 100% and I just noticed another hidden malware service to remove so lets try a slightly changed fix and see if this works. If not, we may need to use another method.




    We need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 31, 2008
    #5
  6. ithryn

    ithryn Private E-2

    Ran fix, the .reg file (successfully), CCleaner, and Getlogs. System is still working pretty much the same, although it seemed again to boot slower before I started this tonight.

    BTW, my in-laws don't leave their computer on, so in between these fixes there several boot cycles are occurring. Does this matter (in terms of viruses or malware regenerating?)

    Thanks!
    Chris
     

    Attached Files:

    ithryn, Jul 31, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your slow startup is just due to the amount of system resources and things that Online Armor is doing.

    Not for what we are currently doing. For some malware (like Virtumonde) rebooting causes it to mutate and spread.

    We still did not get the DOMAINSERVICE registry entries removed. The below process should work.

    • Please go to this link: http://live.sysinternals.com/
    • find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
    • Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
    • For you the prompt should show C:\Documents and Settings\HAL>
    • Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\HAL\Desktop>
    • Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
      • psexec -s -i regedit
    • In the Registry Editor click File, Import and then navigate to the fixme.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
    • If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Aug 1, 2008
    #7
  8. ithryn

    ithryn Private E-2

    I downloaded psexec.exe to the Desktop and used it to load regedit. (Does it fool the computer into thinking it's loaded remotely?) One weird thing happened: after clicking Import, I couldn't navigate to my desktop like I normally do, but I was able to navigate to C:\Doc...\HAL\Desktop and find it there. Anyway, it said it imported fixme.reg successfully.

    Before this the computer was moving VERY slowly and I was getting complaints from my brother-in-law. :p Now it seems to still be a little slower than normal, but not like it was.


    Chris
     

    Attached Files:

    ithryn, Aug 1, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really. How we are using it is to force it to run the command like the System (i.e., Windows) is in control and not a specific user account.

    That remove the registry keys we were trying to remove.


    It is not a malware problem. It is just what you are running along with the fact that you are light on RAM by todays standard of what applications require to run properly.



    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 1, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds