Can't remove Virtumonde

Hello everyone

My mother referred me to this site after I began having problems with my PC. Recently I have noticed that the CPU runs at 50% or higher pretty much constantly and the process that is using it is explorer.exe and I am convinced that some type of malicious code is causing the spike in processor activity. First of all I followed each step in the thread by Major Attitude (Do Not Post Until You Have Read This etc.) which succeeded in finding Virtumonde, yet AdAware--even though it claims to have removed it--doesn't remove it. I read the thread by bopper10 who apparently had the same issue, and now have hijackthis but my log differs from his and I don't want to remove anything I shouldn't. So basically I have my own logfile here so if anyone could advise me as to what to do next I would be very grateful.

Thank you!

 

If you have completed the READ ME then follow the below steps...

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ok, I ran HijackThis from it's own folder on C:\ with everything closed like it said and had it fix two 09s (extra buttons) that had no names and I did not recognize, nor were they present on the toolbar itself.

I saved the logfile and here it is.

Thanks!

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ssttq.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\qttss.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ssttq.dll
O20 - Winlogon Notify: ssttq - C:\WINDOWS\system32\ssttq.dll​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  
• Once your machine reboots please attach a fresh HJT log from normal mode.

 

Ok, I did everything on the list exactly as directed but the blue screen of death did not reboot the computer. I ended up shutting off the power supply after about fifteen minutes; I hope that isn't a problem. Anyway, I now have a fresh logfile for your viewing pleasure.

Thank you!

*on a side note, I have noticed that when rebooting the computer in safe mode--rather than safe mode with networking--neither the tool bar, nor any desktop icons are displayed, and in order to run any programs, etc., I must run them via the Task Manager. Is this a problem?

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

MyWaySA

SearchAssistant

MyWebSearch

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Kevin\Desktop\MajorGeeks.com tools\cwshredder.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MyWaySA

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Ok, I did everything as directed in your latest post and have a new logfile for you to enjoy!

While I attempted to fix the suggested items on hijackthis, two of them did not exist:

Also, while scanning with Spybot - Search & Destroy, the following error occured:

Also, once I have successfully used the Vundo tool should I remove it or leave it on the desktop?

Thank you!

 

Sorry it's been a few days been really busy with work and fire prevention.

Anyway, your HJT log is clean, are you having any further problems?

 

Nope, everything seems to be running normal now.

Thank you very much for helping me with this problem! I'll be sure to remember you guys if something like this comes up again.

Again, thank you for your help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!