Virtumonde is killing me!!!

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Do you or your wife do any online business?

If so, you need to change passwords and (if you use a credit card or give out routing and account numbers) alert your banks.

Please use add/remove programs to uninstall:
DrvCareXP v4.2
Java 2 Runtime Environment, SE v1.4.2_03
Reboot and install:
Java Runtime 6

Now:
1. Click on the Start button.

2. Click on the Run option.

3. In the Open: field type "cmd /k sc delete $sys$aries" (without quotes) and press the OK button.

4. Reboot your computer

5. Delete C:\%WinDir%\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now after reboot, please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.
Attach new logs for:
ShowNew
GetRun
HJT
Avenger

 

Make sure they are new logs and not the same old logs. Also if that is not the problem, dump your browser cache (see below) and then click refresh a couple of times

1. Run Internet Explorer
2. Click Tools and select Internet Options
3. Now on the General tab, click Delete Files and select Delete all Offline content too on the next window, Click OK. When it finishes Click OK.

 

You had HJT in the right place the first time:
C:\Program Files\analyze.exe
Why did you uninstall and then reinstall here (where we specifically tell you not to):
C:\Documents and Settings\Jeff\Desktop\Anti-Virus Tools\analyze.exe

Were you able to delete this:
C:\%WinDir%\system32\$sys$filesystem\aries.sys

Please Disable Spybot's TeaTimer

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

Now:
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Please attach new logs for:
ShowNew
GetRun
HJT
Avenger

Tell me how things are running!

 

Are you running two firewalls? Norton and Outpost? (Not a good idea).
Do you have more than this one computer.....are you on a network?

I'm not seeing any malware issues ......can you give me more info on what Norton is popping up?

For reference:
http://www.bleepingcomputer.com/startups/CDProxyServ.exe-13346.html

 

There is not a lot of support around here for Norton ...for all the reasons you give. But to have it pop up saying what you post, would suggest a firewall notice. And yes, it very well could just be your laptop is trying to access your computer thru the wireless network.
Turn it off and see what happens.....if you were actually being "probed" then Outpost would report it.

Did you run any of the scans from her login?

I'd keep Outpost and dump Norton ...too many just as effective freeware anti-virus software that doesn't hog down your computer.

Are you telling me that the laptop is the only computer you have?

 

We have a Norton uninstall program on MG;s and you will find either AVG freeware or Avast on our top freeware picks section.

As to your wife's login ...it would be a very good idea to run the following on her account just to be certain:
ShowNew
GetRun
HJT

Also run the ATF cleaner on her login.

 

Her logs are clean also. If you are still having problems with Norton ....you may wish to uninstall, try a different anti-virus program and if that solves your problem .....
If not, let me know.

 

You're welcome .....safe surfing!!