Help with Virtumonde and maybe others?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mrzomp, Oct 6, 2008.

  1. mrzomp

    mrzomp Private E-2

    Hello,
    My Dell laptop has the McAfee Security Center running and last Sunday (9/28/08) I received an alert that my Spamkiller in McAfee may need to be re-installed. I tried enabling spamkiller in my Sytem tray and nothing would happen. Then, I started getting my Internet Explorer browser hijacked. I ran a McAfee scan but would not find anything. I've since tried to uninstall McAfee, but haven't been able to remove everything.

    I then installed an online Beta version of Spysweeper and it found various spyware and trojans. It tried to remove the infected files but it would just seize up. It said there was something running in memory that needed to be removed. I tried to reboot, but when it did I would get nothing except my background picture on the screen. I could hit control + alt + delete to open
    Task Mgr only to see what was running but couldn't start any programs. So I shut down from there and booted into Last Known Good. Everything started and I could see my icons again but tried to get on the internet but I have the same Malware, I guess.

    I ran Spysweeper again and the log said that I had Virtumonde, trojan-downloader-waverevenue, EICAR-AV-Test, Mal/Generic-A, Agent-HTL, and Virtum-Gen, as well as some other less serious adware and cookies.

    I then found your site on the internet, read your Read Me file, followed everything that was suggested, downloaded all five programs, ran them and created logs.

    In between running Super Antispyware and Spybot I now have Limited or No Connectivity on my wireless network. I did get it momentarily, but when I did I now get a message from Super Antispyware telling me that something is trying to change my Home page in IE and I hit Block Change and it keeps popping back up, and in the field it says about:blank. So I continued to running the next 3 programs creating logs for each.

    So, I still have limited or no internet connectivity and I can't open Help and Support to view System Restore...I get an error message saying Windows cannot find helpctr.exe.

    So, the bottom line is I'm still having problems. I may have failed to mention some other important details, but that's all I can remember right now. I've been working on this for many hours ever since it happened. I could just wipe it and re-install, but it's personal now.

    Hopefully with your help, I can find the infected files and remove it properly.

    I've attached the first few logs for your review. Your help will be much appreciated.

    Thanks,

    Mike
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    We need the log from MGtools to continue.

    Note you did not update the detections/definitions for SAS and MBAM before running the scans.
     
  3. mrzomp

    mrzomp Private E-2

    Thanks for the reply!

    About the detections/definitions, I thought that I downloaded the most recent. I followed the Read Me First instructions to the letter, but I was having "Limited or No Connectivity" issues at the time so that might have been the problem. I used another computer to download the program installs to thumb drive and then transferred them that way.

    Anyway, I've attached the MGtools log for your review. If there's anything else you think I should do, please let me know.

    Thanks for your help,

    Mike
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Downloading the programs only gives you the current program version not the current detections/definitions versions. That is why the READ & RUN ME stated that you need to make sure you update afterwards. If you cannot do online updates due to no internet connection, we did give links to get the definitions manually.

    You have Webroot Security Suite installed but McAfee was not properly uninstalled yet so lets clean this up.

    Uninstall the below software:
    McAfee SecurityCenter
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    O20 - AppInit_DLLs: ygcecq.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. mrzomp

    mrzomp Private E-2

    Thanks again for your help!

    I followed your instructions and have attached the requested logs. I'm pretty sure that I am now free of the infections that I had. However, I still can't get internet connectivity. I was connected through a wireless adapter to a wireless router at first, but now I'm even connected with Cat 5 cable directly to the router and still get "Limited or no Connectivity" on the the connection.

    It might just be a setting that needs changed, but I can't seem to find it.

    I appreciate your help!

    Mike
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's possible that you need to reinstall drivers for your hardware which would be an issue better discussed in the Networking Forum; however give the below a try just to see if it helps.
    If this does not work, try shutting down your Webroot software and its firewall just to see if it is causing you any problems.

    Also you still seem to have things from McAfee installed. Let's try to fix this. Download and run the below. After running it, make sure you reboot. Then run it one more time.

    McAfee Consumer Product Removal Tool


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. mrzomp

    mrzomp Private E-2

    Thanks again for your help!

    I tried a firewall setting on Spysweeper and if the filter traffic setting is on the internet wouldn't work. I followed your instructions with SuperAntiSpyware and also the consumer removal tool of McAfee.

    I have attached the MGTools.zip file for your review.

    Thanks,

    Mike
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure if I follow. Are you saying that Spy Sweeper is causing your connection problems? If so, you need to either speak to Webroot, or you have something set incorrecty, or you need to uninstall it it and possibly reinstall it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds