virtumonde and smitfraud, no icons on desktop

in a feeble attempt to clear virtumonde and smitfraud with Spybot S&D, I attempted a restore (XP), but managed to loose all icons on my desktop (no start command line.. only my wallpaper photo). I have seen the proceedures to clean the system, but don't know where to start with restoring normal desktop function.. no right click on the desktop). I can run some programs via windows task manager. Suggestions to restore desktop first?
E

 

Did you just do a "repair" or a "restore" from a Restore disc?

Is there any needed data on the drive? If not, I would just reinstall the OS as in "format/reinstall".

 

There are files I would like to recover if possible. The "restore" action was responding to a window which asked if I wanted to use the last good restore point.. no disks were involved. Symptoms were, nothing on the desktop, except wallpaper photo. But via Window Task manager, I posted to the forum, and then down-loaded the CCleaner, and PCTools to do the prescribed "do this first" list. I ran CCleaner, but did not run the registry cleaner, before IE windows began to pop up like mushrooms, I finally got them clicked off, and did End task on WTM. With IE shut down, Spybot completed a previously stalled scan, and icons returned to the desktop! Since, and without going back on line or loading IE with it, I have made a full Spybot S&D scan, and it completed, with a log. But stability is certainly in question. If possible, I can attach logs to a Outlook generated email, and not use IE to return the logs. I'm concerned about using a thumb drive to copy the logs back to this (working) machine for fear of infection. What else might I need to run, if anything, to get enough stability or troubleshooting accomplished, to potentially do any software repairs with the logs? Dial a Prayer?? LOL

This post BTW is from a recent borrowed laptop, so I can safely write any downloads to a cd, and put them into the infected machine without IE or internet use. And I now have Firefox on this one. Thanks!

 

I tried to edit the other post, but was too late. I could potentially load Firefox onto the infected machine, via CD.. but don't want to do anything disk oriented until I hear from you. Thanks a million!

 

I would go back to the READ ME and download the programs onto a CD and transfer them to the infeceted computer. Run all of the programs and once complete attach the logs.

 

Hi,
I managed to load a took kit of the necessary programs to my desktop. Did CClean and registry. Del/add Java updates, Updated and ran SuperAntiSpyware but got blue screen several times before unclicking Kernel Direct boxes. Will do the rest of the scans, but glad that I got this far.

I just managed to post the first log to a thread which I had open in "software" (for a different machine) by mistake, .. and your upload program won't let me re-load it here. I think it was 1273519.

Do I look like a log spammer??
THX Jerry

 

If it's malware related you need to stay in one thread in this forum. When you work in multiple threads and/or forums it makes it more difficult to address the problem.

I need the logs from the READ ME, if you can please attach them to this thread. If you can't because of an error, add something to the log like a line that says "test" and save the log then re-attach it.

 

Hey..
Hope you are getting more sleep than I am! LOL
I ran the rest of the scans, but not sure if each updated properly, etc. But no empty logs. McAfee did locate a viewer file in MGtools, and I think prevented it from running. The system appears to be much more stable than it was, but from a comment about the sas file, there is probably more work to be done. I need/want to shut down (me/it). Let me know, if there are specifics to look for, regarding further issues.

As I recall, I was downloading something from a web site (sorry) "123 something".. got a pop-up that was a "virus scanner2009" as I recall.. said I had a bunch of problems.. and by the time it got done.. I did. Other symptoms listed already. I was on line with it briefly, the desk top looks normal, file transfers work, the scans ran pretty much as expected.

My other 3 files are attached below hopefully, and sorry, but I don't know how to delete the other one, from a mistaken post over in software. I really don't want any of you folks fighting over my log files.. ya know?? lol

Hey, all the effort you people have put into this site, is amazing.. and ya know that it's GREATLY appreciated. BTW, I'm on line with the overgrown calculator of a lap-top, so timing on this tower is not critical here! THX Jerry

 

I added a line at the top of the file.. I had already tried renaming it!
Thanks again for the help, Jerry

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks for the instructions. No glitches running the programs. SAS and McAfee both reloaded after a restart, but I had to manually restart McAfee when finished. Should it be running with SAS? The Recovery Console never loaded, (was off line), is that a concern? Everything appears to be running, but loading the files here from a different computer, just to get them on here. Will log onto the web with the other one shortly. Unknown, if there is more to do.. so don't want to use it actively, until I hear back from you.

McAfee just popped up with Potentially Unwanted Program "Tool-NirCmd" in C:\System Volume Information\_restore{A62382FF-F1C1-4716-A3E3-83BF2FC8DFF7}\RP358\A0086091.COM

Jerry

 

I had planned to run the computer more, or on line, but the pop-up was a concern, so I shut it down. I assume that the file was found in a restore point backup (apparently yet to be deleted). But I'm not in a rush, so would prefer to wait on your reply.

I used to be on the technical support end.. early 80s, with Z-80 CP/M based PCs. Once in a while, "a" file might get transmitted.. but internet use, and Windows complexity was only a future nightmare at the time! Late for the learning curve, but this is an education! Thanks for all the patience and effort. Jerry

 

I have a new and different question.. which could be related to the target computer, so you can let me know if this needs to be posted elsewhere. I have a blog, as listed in the log files (as a trusted site). It's linked to picasa on-line photo storage, has text, two outside links listed, and ONE "followers" photo (at last view). Today, I get a reply email (where my signature block contains the blog link), and McAfee Site Advisor has a red block up, with MY BLOG link listed as the offending site!

Questions include: What are the modes by which a blog can be infected? Via a followers photo for example? Is Picasa secure? Does Picasa scan photos, to verify no infections? (It could have come from my computer, or my computer could have been infected by it.. or totally unrelated). Is Blogger.com secure? And the biggie, how do I take it off line, without fear of being infected again myself.. (if that had been the case)? Yeah, I know, different can of worms. Let me know if I need a new thread. Jerry

 

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I don't know a whole lot about blogs but I would think the only way for them to be infected is to have infected files or have malicious links.

The best way to protect yourself from malware is to follow step 10 in my previous post.

 

Thanks for all the help thus far. A few more problems have appeared. I've basically been off of the desk top computer, except for these clean up sessions. And it's physically been off-line, for almost all of this time. As I proceeded:

MGTools, couldn't be deleted, as it came up running apparently in background, on boot. So I did End Task, after deleting the other parts of that download. I was concerned that it hadn't completed it's function, from before, as it didn't run quite as described. But I uninstalled the other items, and did CCleaner for files and registry. Looking at MBAM, it still contained the quarintined files found from before, despite the log saying they were gone, so I deleted them (within MBAM). I connected to the internet, and I did a quick check on OUTLOOK, because I use it sometimes for quick email, and did a test echo to my ISP mailbox (which included a send/receive command).

At that point, I went off line with that computer, and back on line with my laptop, and I happened to check my YAHOO mail account, and there were 6 files, just sent from Outlook and the ISP address. One a jpg photo, one a previously forwarded link (cop/naked biker, which I had opened about the time that all of my problems had began), and 4 copies of one of my Excel files. All were "inflated" by 10-40K over the size of the original files still on my desk computer. But I hadn't "sent them" myself. But when things had gone bad.. maybe they were put in the outgoing mail folder?? And only sent now? I could not scan the files within either the Outlook or Yahoo locations. But I did view the source code in one, and found in part 2 different files (image 002 also): cid:image001.jpg@01C95A50.309144C0 I had no luck finding info on the address.

I deleted all of those related emails, in both computers. When I did another CCleaner on the desk computer, I then saw them listed as "myfilename.XLS.LNK"!! So indeed these had been "converted or appended" (?) to LINK files (with the extension not visible in either email listing).

I then ran Spybot S&D.. clean. I ran McAfee scan, clean. I reran MBAM.. clean. I checked SAS, and found the 70 entries, then deleted all quarantined.. (With McAfee flashing warnings, but I think only for the info in the new log file). I reran SAS.. clean. But did not clear the RESTORE points yet, or defrag.. as I am not real comfortable with what just happened, regarding the email. Further advise? I may have only been lucky that the emails were only sent to my own address! As I now assume (in part) that the forward was the source of my infection. Thanks a million, highly apprecited!!

 

You said SAS found 70 entries, what were they exactly?

 

The 70 some files were the ones from the very first scan (included in the SAS file in post #9 here). They had not been deleted, as the instructions implied that they would be gone. So, it didn't find anything new.. but when I still saw them as quarantines, I did delete them. But the concern, was that if they were the cause of the virus, or of trying to replicate itself, and yet they were quarantined?? Well .. how did Outlook send out 6 funky files? I do still have those. If you want to see one, or all, let me know if there is a safe way to send them. And when looking for them, it appears to be running really slow! It was left on for a while today, but not used.

Will post again. Thanks.

 

Okay! I thought you meant it found 70 just now. About the emails, anything is possible but that doesn't sound normal to me. As of now, I would just delete the emails from the Sent folder or Outbox folder wherever they are.

If it's still acting up, I would delete the profile and create a new profile and re-configure the account settings and see if it still happens. Also, make sure your antivirus is configured for the mail scanner to run in case there are infected emails.

 

The computer seems to be running normally. Looking in the "Deleted Items" folder of Outlook.. the dates range from 10/31 to 12/9 to the last one of 1/13 (which was one day before I logged on here with problems). But I'm not certain that these files are bad. Outlook may have been my default email (not sure how to verify).. and they may have been loaded into Outlook inadvertantly, and were never sent, because it was never set up with proper account info, until the other night. The increase in file size may only be added text.

Is there a good bench mark program to run, to verify normal system speed and operation? It's spending 99% idle! And is there a easy way to scan these "deleted email" files and/or to open them, without risk? Sorry, but the emails may be a false alarm. I'm certain I had not examined the "outbox" before setting the accounts to be functional. And I had only used Outlook Express before this, and not Outlook (and that was some time back). I even did a full MBAM scan too, without any problems showing up.

 

I would post this in the Software Forum since it's not malware related.

If they are infected your antivirus should detect them.