You guys rock

Welcome to Major Geeks!

If you have run the full READ & RUN ME, I would suggest that you attach the logs from GetRunKey and ShowNew. Do this even if you think you are clean. Virtumonde can hide many files on your PC and the normal procedues (even with VundoFix) will not remove all of them.

In fact it would be even a better idea to attach all 6 logs from the READ & RUN ME. To be specific, that list of logs is:

• CounterSpy - only for Windows XP, 2K, & NT users
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

If HJT is not renamed as requested, many Vundo related entries will not even show up so be sure you renamed it.

 

Because that link does not even mention HJT since it is not used in that procedure. The READ & RUN ME does tell you to rename it and so does the HJT Tutorial.

I'm looking at your logs now.

 

Is the below supposed to be HijackThis?


C:\Documents and Settings\KaThErInE TsOuGaRaKi\Desktop\fred123.exe

This is located exactly where we specify not to install it and in addition. It will be treated by most scanners and also by people reading logs as malware. Please install it and rename it as suggested to avoid these problems and also other problems that can occur due to where you installed it. It should look like this:

C:\Program Files\HijackThis\analyse.exe

 

Looks like you did not really have a real Vundo infection. What Spybot detected does not appear to be truly Virtumonde. You do have a couple other problems though.

Please attach the C:\VundoFix.txt file I want to see what is in it.

You can uninstall the CounterSpy trial now since we are finished with it.

Delete the below files (use safe boot mode if you cannot delete in normal mode):
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\"B.tmp


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You can also have HijackThis fix the below non-malware items. They are just unnecessary startups that waste system resources.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

After clicking Fix, exit HJT.

Now attach a new logs from ShowNew and GetRunKey.

 

Okay that shows that you did have Vundo but only a minor form of it. You need to complete my other instructions in message # 10.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Yes it was an easy one.

You're welcome. Surf safely.

 

You're welcome.

If you have any other PCs to work on, start new threads for them and be sure to put into your message that it is another PC so it is not assumed to be the one in this thread.