Virtumonde detected, help please :)

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

 

Try running GetRunKey again and see what happens. It should not be causing your PC to reboot.

Also attach the current copy of C:\MGlogs.zip

 

What program is actually detecting Virtumonde? Was it Spybot? Was it saying it was in the c:\windows\system32\mfc40.dll file?

Is Moon Secure Antivirus still installed on your PC? It shows in your logs but it does not appear to be installed.

 

Then see this thread because Spybot is wrong! Virtumonde detected by SpyBot

It is still on your PC. Drivers, files and folders are still present and should be removed. Would you like to do this.

You also have no protection in place.


Also you never updated Malwarebytes and thus it is more than 1100 database versions out of date. You need to update it and then run a new scan and and fix what it finds. Then attach a new log.

 

This could happen from running scanners which many times will set things back to system defaults. It is the only way to know they are correct settings since malware will frequently make changes to system setttings. By the way, it is much more secure to not bypass the Welcome Screen. You make it easier for malware the mess with you by doing this.


Uninstall the below software:
AVG PC Tuneup 2011
Spybot - Search & Destroy 1.4 <-- years out of date



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Tigers\Local Settings\temp

Now click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Now see if we can run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The start of that Note said if running Vista or Win 7.

But how are things working? Your logs are clean. The reason for you not being able to properly run the MGtools programs is unknown. Best guess is problems within Windows itself.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It is a protected system file and the system will restore it if it is deleted. You can read about Windows File Protection in the below link:

http://www.microsoft.com/whdc/archive/wfp.mspx

 

You're welcome.

Check your Event Viewer logs to see if any info can be obtain from it. See:

How to view and manage event logs in Event Viewer in Windows XP

 

Post the info from your Event Viewer log in the Software Forum.

 

The info is all in the link I gave you. You need to read that info there and expand the More Infomration section if you are not seeing it. You need to provide specific info on the problems you are having ( anything related your reboots/crashes ). Please ask these questions in the Software Forum after posting there as you will need to answer/provide what anyone helping you there requests. I was just suggesting a starting point for you.

 

You're welcome. Surf safely!