Need severe help with Virtumonde: The Resurrecting Trojan!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Kbdraggzz, Sep 17, 2008.

  1. Kbdraggzz

    Kbdraggzz Private E-2

    Hi everyone, my names Chris, and I came here after do the READ ME FIRST guidelines about removing malware from my computer. Here are the symptoms of my problems and background information:
    -About two days ago I was surfing the internet and found a bit torrent which I wanted to download, so I clicked the link and it did as it normally should for my comp (open limewire etc) but I noticed that a popup showed up which I couldnt cancel out of I had to CTRL ALT DLT it. Then I restarted my computer and the Windows Automatic Update Security Alert came up. I went to try to change it to ON but it comes up with an error 1058, "We're sorry we cannot change this etc..."
    - I ran Spybot, and it found a lot of Virtumonde. As it came across it in the scan, it pops up with "It is recommended that you restart your computer and let Spybot run on boot." (Yes/No) IF YOU CLICK YES, the computer crashes to blue screen with a FATAL ERROR. If you click NO, it continues to scan, and at the end some Virtumonde material (.dll mostly) shows up, and I "fix" it, but it comes right back. The same thing happens when I run SUPERantispyware, but it crashes and does not proceed. The Windows Security Alert never went away.
    - I could not run MalwareBytes because some thing about a miscellaneous .dll file is missing, and the same happened when I attempt to run VundoFix.exe. However, I ran ComboFix.exe with the Service pack attached, and it found the files which Virtumonde are attached to, erased them and everything. Then upon restart, the Windows Securty Alert is back and cannot be changed. My logs from MGTools are attached in this and another post. Please help me, I'm not very good at this sort of thing, and would be MOST grateful is someone would look at this problem for me! Thank you all early!
     

    Attached Files:

    Kbdraggzz, Sep 17, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    According to your other logs SUPERAntiSpyware ( aka SAS ) did run and it made a log. Please attach the below log
    Code:
    "C:\Documents and Settings\Boofizzle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log Sep 17 2008 1936  "[B]SUPERAntiSpyware Scan Log - 09-17-2008 - 16-01-38.log[/B]"
    We need to know the exact message and exact DLL file name.

    Have you attempted to run SAS and MBAM again after having run ComboFix?
    Have you tried running them in safe boot mode if normal boot mode does not work?


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Make sure you accept the license agreement for TrendMicro HijackThis if it pops up.



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 18, 2008
    chaslang, Sep 18, 2008
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds