Can't Completely Remove Virtumonde (Continued with logs)

Re: Can't Completely Remove Virtumonde (With Attachments)

Welcome to Major Geeks!

Did you happen to notice the below sticky thread?

Sticky: HJT Tutorial - DO NOT POST HIJACKTHIS LOGS


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Re: Can't Completely Remove Virtumonde (With Attachments)

If you want our help to fix what those programs you have paid a lot of money for cannot do, then please follow our instructions. Otherwise you are welcome to call Symantec and Webroot and pay some more money to get technical support that will still not fix your problems.

Our methods are used hundreds of times per week and they work. Symantec and Webroot will not remove this infection and normally they miss most of the files and registry keys associated with the malware which is why they cannot remove the problems.

 

Re: Can't Completely Remove Virtumonde (With Attachments)

The cleaning procedure for Windows XP will give you a list of logs to attach at the end if you are still having problems.

 

Re: Can't Completely Remove Virtumonde (With Attachments)

What browser are you using? Sounds like FireFox and that you never set the option to tell it to allow you to choose where to download which is what you should set. Downloading to the Desktop by default allows you to find them easily which may be good for people who don't know there way around Windows but it leads to cluttered Desktops. Cluttered Desktops slows PCs down and provides a great hiding place for malware.

If FireFox is what you are using, Click Tools, Options, and on the Main tab select Always ask me where to save files. If for some reason you still have a problem trying to save MGtools.exe properly. You can download it to your Desktop and move it after downloading, or if necessary (but we prefer not) run it from your Desktop.

 

Re: Can't Completely Remove Virtumonde (With Attachments)

Not a problem since my final instructions (when we get to them will take care of this.

Yes because more than likely, you still have components of the infection that need to be removed.

 

How do you like how our tools found and remove things that your "better rated spyware/virus related programs" did not find and remove? Your Spy Sweeper scan is still incorrect since there is a little more to do. I recommend that you shutdown Spy Sweeper before doing the below to avoid having Spy Sweeper actually get in the way of proper malware removal.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A2B8EA46-6C2C-4069-A613-1DC165E18DF8} - C:\WINDOWS\system32\tuvVLbYo.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [6c4087b0] "rundll32.exe" "C:\WINDOWS\system32\pufwoxcr.dll",b
O20 - Winlogon Notify: nnnmlJBq - nnnmlJBq.dll (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It would be in your best interest to complete them ASAP. These infections will respawn and spread (often changing names/creating new files) if not completely removed. And at each power down or power up you risk the chance of it reinfecting you.

 

Re: Can't Completely Remove Virtumonde (With more new logs)

Why did you start a new thread? I'll merge this back to your first thread.

 

Re: Can't Completely Remove Virtumonde (With more new logs)

Your logs were from safe boot mode and they need to be from normal boot mode. Let's fix the below and get a new log.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gomyhit.com/MTg2MzY=/2/288//
O20 - Winlogon Notify: nnnmlJBq - C:\WINDOWS\

After clicking Fix, exit HJT.

Now make sure that you reboot into normal boot mode and then get the below new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Re: Can't Completely Remove Virtumonde (With more new logs)

You can only put 3 attachments into a single message, not a thread.

 

Your logs are clean.

Try the below.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


After doing the above, reboot and see if there is any change. If not, it may be necessary to reinstall Symantec. The infection you had may have damage it.

 

But what are you answering with?

You can uninstall SUPERAntispyware now since we are finished with it but not there is also an option to tell it not to load with Windows.

 

No it is not normal! So either Symantec is having a problem local to itself or there is a conflict between it and Spy Sweeper in getting things setup properly.

Click the Preferences button and on the General and Startup tab uncheck the option that says Start SUPERAntiSpyware when Windows Starts.