Having trouble getting rid of a Virtumonde Regkey

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Steve1234, Dec 7, 2008.

  1. Steve1234

    Steve1234 Private E-2

    This started last night, kept having new firefox tabs open to random links every few minutes while surfing the web, started with my usual cleaning, ccleaner then ad-aware which picked the Virtumonde items.

    Today I ran the XP Cleaning procedure. Seems that most of what I had is cleaned out but in each step it would always find one Virtumonde item that could not be fixed and AD-Aware confirms that there is still one Virtumonde Regkey still hanging on after completion. Logs are attached.

    I appreciate any assistance you can provide.

    Thanks.
     

    Attached Files:

    Steve1234, Dec 7, 2008
    #1
  2. Steve1234

    Steve1234 Private E-2

    And heres MGlogs
     

    Attached Files:

    Steve1234, Dec 7, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are almost clean but you do need to uninstall the below old software which is a security risk and could be how Virtumonde found its way onto your PC.

    IBM 32-bit Runtime Environment for Java 2, v1.4.1

    And you also need to goto the below folder and delete the shown files that were jobs for reloading your malware.
    Code:
    "C:\WINDOWS\Tasks\"
at1.job       Dec  7 2008         350  "At1.job"
at10.job      Dec  7 2008         350  "At10.job"
at11.job      Dec  7 2008         350  "At11.job"
at12.job      Dec  7 2008         350  "At12.job"
at13.job      Dec  7 2008         350  "At13.job"
at14.job      Dec  7 2008         350  "At14.job"
at15.job      Dec  7 2008         350  "At15.job"
at16.job      Dec  7 2008         350  "At16.job"
at17.job      Dec  7 2008         350  "At17.job"
at18.job      Dec  6 2008         350  "At18.job"
at19.job      Dec  6 2008         350  "At19.job"
at2.job       Dec  7 2008         350  "At2.job"
at20.job      Dec  6 2008         350  "At20.job"
at21.job      Dec  5 2008         350  "At21.job"
at22.job      Dec  4 2008         350  "At22.job"
at23.job      Nov 30 2008         350  "At23.job"
at24.job      Nov 30 2008         350  "At24.job"
at3.job       Dec  7 2008         350  "At3.job"
at4.job       Dec  7 2008         350  "At4.job"
at5.job       Nov 30 2008         350  "At5.job"
at6.job       Nov 30 2008         350  "At6.job"
at7.job       Dec  7 2008         350  "At7.job"
at8.job       Dec  7 2008         350  "At8.job"
at9.job       Dec  7 2008         350  "At9.job"
    Let me know if you have any problems finding and deleting all of thos atxx.job files.

    Side note! Are you actually able to play Left 4 Dead on this PC. It does not appear to be fast enough for that game.
     
    chaslang, Dec 10, 2008
    #3
  4. Steve1234

    Steve1234 Private E-2

    Deleted IBM 32-bit Runtime Environment for Java 2, v1.4.1 as well as the .job files.

    Should I re-run any of the tools now to make sure the Virtumonde is completely gone?

    Thanks!!!

    BTW Left 4 Dead is somewhat playable with everything turned down on this thing lol.
     
    Steve1234, Dec 10, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not necessary. It's gone.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Dec 14, 2008
    #5
  6. Steve1234

    Steve1234 Private E-2

    For some reason Ad-Aware and Spyware S & D are still finding an infected Regkey and neither can remove it. In Ad-Aware the object is listed as:
    "Virtumonde Regkey Malware HKEY_CLASSES_ROT:clsid\(6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c)\

    Is this something I should still be worried about?

    Thanks.
     
    Steve1234, Dec 14, 2008
    #6
  7. Steve1234

    Steve1234 Private E-2

    I'm also now having issues, particularly with hotmail.com, where every so often when i go to load a new section or reload my inbox the window shrinks and a warning box pops up for protectionfastscanner.com or online-antivirusscanner.com asking me to scan my computer with antivirus 360. Not sure if this is related to the Virtumonde Reg Key still in my system or not...
     
    Steve1234, Dec 15, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like you may have some new infections.


    Please run this procedure: Resetting Registry and File Permissions Make sure you reboot as instructed.

    Then run SUPERAntiSpyware, make sure you update it, then run a new full scan and attach the new log. Do the exact same for Malwarebytes.

    Then also reboot and then tell me if still having problems.
     
    chaslang, Dec 18, 2008
    #8
  9. Steve1234

    Steve1234 Private E-2

    Followed your instructions exactly and that one registry key still won't go away. Both SAS and Malwarebytes found and could not fix what they found. See the requested logs...

    Thanks.
     

    Attached Files:

    Steve1234, Dec 19, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the Resetting Registry and File Permissions procedure again after booting in safe mode and logging into the Administrator user account. Also please watch for any messages about not being able to set permissions on any keys. Tell me exactly what you see if there are any messages. Then run SAS and MBAM while in booted in safe mode.

    Then reboot and run scans on your normal user account and tell me if the infection is still detected.
     
    chaslang, Dec 22, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds