Infections - Virtumonde Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by mdj1281, Jan 2, 2009.

  1. mdj1281

    mdj1281 Private E-2

    First of all I want to thank everyone who contributed to the already existing "how to" threads on this topic. I have found them very useful and have learned a thing or two while doing this.

    I followed the instructions in the thread HERE and completed the cleaning process as well. Had some issues downloading some of the malware removal tools but I set up my laptop next to me so I could work on the desktop (thank goodness I didn't only have the desktop).

    Initially I found out that I had the Virtumonde Trojan when Lavasoft's Ad-Aware found it, however it was unable to remove the infected file(s). I checked my NOD log and found that it did log the events in both AMON and IMON modules however failed to notify me or address the issue. I also already had Spybot S&D and Spywareblaster installed on my computer, however S&D was out of date and both also did not alert me to any threats.

    I am unsure how to pull a log from Spybot S&D so I took a screen shot of the "recovery" screen to show what was removed by that program.

    As per the Windows XP cleaning procedure I also unchecked the system recovery, rebooted and then re-enabled the system recovery on all drives. Since I have run all of the programs I have yet to have any browsers flying out of nowhere... but it has only been a short while.

    Also, the Spybot S&D showed another trojan virus named Smitfraud-C, anything I should know about this? And are there any suggestions regarding the future protection of the computer as well as what I should now do if the keylogger in Virtumonde was successful in grabbing something of value from me.

    Thank you all for your help.

    Newbie, but hopefully a fast learner,
    Mike
     

    Attached Files:

    mdj1281, Jan 2, 2009
    #1
  2. mdj1281

    mdj1281 Private E-2

    additional log files.
     

    Attached Files:

    mdj1281, Jan 2, 2009
    #2
  3. mdj1281

    mdj1281 Private E-2

    Forgive me for the third post, I thought of it while I was sleeping... but I should also note that the NOD log was taken BEFORE I did any of the recommended cleaning procedures.
     
    mdj1281, Jan 2, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    FYI: It's System Restore and you really should not have done this until we had verified everything was clean. However you are good shape as far as malware is concerned. We just have some other items to take care of.

    It was also a bad idea to allow NOD32 to run before running the cleaning procedure since it incorrectly decided some of the tools we use are malware. Hmmmm! I wonder how they would like it if we just randomly calling their files malware because they can delete file and we decided to delete their files. The difference is that we are smart enough to know what real malware is. ;) Also a warning. You have an illegal copy of NOD running. If your security and your PC's security are important to you then you should purchase a valid copy. Also read this sticky on our policies for future reference:

    Warning about Keygens, Cracks, and other Illegal Software


    You need to uninstall SpywareBlaster v3.5.1 which is way out of date. Then install the current version from here: SpyWare Blaster



    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)

    After clicking Fix, exit HJT.

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now run Ccleaner!


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Jan 5, 2009
    #4
  5. mdj1281

    mdj1281 Private E-2

    Thank you for responding... I am currently at work, when I get home this is going to be the second thing I do (the first is sleep since I was up all night at a taxpayer fire and did not sleep a wink (Vol. Firefighter)).

    The NOD logs were from before anything else was done (DL of the recommended programs, scanning, etc, etc.) I only posted it because I thought it was odd that it saw something going on and never notified me, plus my luck it would have picked up something no other program did. My knowledge of malware is limited to <Frankenstein> FIRE BAD! </Frankenstein>... that's why I'm so thankful to forums like this that educate and help to fix my issue.

    Also I downloaded SpyWare Blaster from the link provided by the forum. I had a copy of that, SpyBot S&D and Ad-Aware prior to this problem however I un-installed my version of SpyWare Blaster and installed the provided version. However I will do it once more for good measure when I return home.

    Thank you for the heads up on the desktop storage bit... I had no idea it caused those issues.

    I assume that these:
    are the items that I will be fixing.

    Thank you also for the link on how to prevent.

    As far as the NOD... thank you, I assumed that I had a legit copy, now I know why I got it for nothing. With everything that happened a friend told me about Windows Defender so I downloaded that and installed it. I know a lot of people have preferences but should I spend the money to buy NOD, is Windows Defender good enough with the other programs I downloaded as per MG's forum or is there a better program out there that I should look into?
     
    mdj1281, Jan 5, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes.


    Thank you also for the link on how to prevent.

    Windows Defender is only an antispyware program not an antivirus program and it is not very good at even doing that. The Vista version is slightly better but still poor. (This is mentioned in the How to protect yourself link which I guess you have not read yet). Yes it is free but not good enough. Purchase SUPERAntiSpyware if you want a good program with good protection and good detection and removal rates. Windows Defender does none of those good.
     
    chaslang, Jan 8, 2009
    #6
  7. mdj1281

    mdj1281 Private E-2

    Ok, I did everything from your last post and since the initial cleaning I have not had any pop-ups or redirects... everything seems normal.

    You were right about spyware blaster... my mistake. It was Spybot that I updated... I was tired and their names are close, sorry again. Un-installed, updated and ran that as suggested.

    Went through all the steps listed above and also moved everything (except shortcuts) off the desktop.

    I also disabled windows messenger... it gave the option for both but I am unsure if there would be any negative or unwanted results if I removed it. Like I said my knowledge is limited perhaps a little bit on what its function is would be nice for other users who must also make the choice to disable or remove. If there was one somewhere that I missed then my mistake.

    I also notice that you only have free anti-virus programs on the prevention link. Is NOD worth the purchase over McAffee or Norton etc etc? Perhaps there is already a thread on it that I missed? Just want to know if it is worth the money or if it is no better than a free program.

    Should I run everything once again and post logs again to make sure everything is clean or am I good after those last few steps I did?

    Thank you again for all of your help.
     
    mdj1281, Jan 8, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that is sort of true but all of them can be purchased to get more capabilities and full support. Using the free version gives you the chance to try them out for awhile to see how they work.

    Yes NOD32 is a good program, but many people feel it is more oriented towards a more experienced user. Stay away from McAfee, Norton/Symantec and ALL security suite programs no matter who makes them. They are all resource hogs.

    No! You are all finished as long as you have finished my final instructions.
     
    chaslang, Jan 14, 2009
    #8
  9. mdj1281

    mdj1281 Private E-2

    Ok, thank you. I just purchased a new Toshiba laptop and, before I read this, I got Norton Internet Security 2009... do you suggest I send it back then and use one of the listed programs?

    Also I will be going through the new computer setup thread that is on here.

    Thank you again for all your help.
     
    mdj1281, Jan 15, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but I assume you purchased a single license for the new laptop which means it is not for your other PC which you had been posting about in this thread.

    It's up to you what you want to do. You could try it an see how you like. I'm not sure how long before you would have to return it. Hopefully your laptop came with a minimum of 2 GB of memory. Did you purchase the one shown in your link? If so, it has 4 GB of memory. Note it is also an X64 version of Windows. If you manage to get it infected, some of our tools do no supported x64. Examples, ComboFix and Avenger do not run on it at all. MGtools has some support for it but not very much.
     
    chaslang, Jan 17, 2009
    #10
  11. mdj1281

    mdj1281 Private E-2

    Norton allows 3 computers to share the same license.

    Yes, I got the one linked to, and the 64bit version of vista because I want to take full advantage of photoshop with it. Still getting used to vista... not sure how I feel about it yet, especially office 2007... damn it's different. But enough :cry

    I assume that there will be more support, as the need develops, for the 64bit version of XP, although I also know Windows 7 is just around the corner... another Microsoft Revolutionary Software release :zzz

    Since I am going to mainly use that laptop for work (website building, databases, etc) I hope that it's risk of getting infected will be very low. But, lets be honest, even with my desktop and a second laptop I will probably eventually fall into the loop of mindless internet browsing sooner or later. rolleyes

    Thanks very much again for all the help!
     
    mdj1281, Jan 18, 2009
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good deal! :)

    Yes would be what you expect. No one really seems that much in a rush to get x64 support.

    You're welcome. Surf safely and avoid infecting that x64 system because removal may be quite difficult. ;)
     
    chaslang, Jan 19, 2009
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds