Virtumonde Virus

Welcome to Major Geeks!

Please be careful with the names you call things. We do not have a program or a procedure named Erase-Virtumonde.

Also note that you did not attach any logs from VundoFix but we don't need them now anyway.


Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME
Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading two tools we will need

- ProcessExplorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe
properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill
button.
ddaya.dll
khfdbcd.dll
mljjg.dll
mscro1.dll
ssqonnm.dll
txaihgvs.dll
uietsufd.dll
wwkkbxvq.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ddaya.dll
khfdbcd.dll
mljjg.dll
mscro1.dll
ssqonnm.dll
txaihgvs.dll
uietsufd.dll
wwkkbxvq.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ddaya.dll
khfdbcd.dll
mljjg.dll
mscro1.dll
ssqonnm.dll
txaihgvs.dll
uietsufd.dll
wwkkbxvq.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {68282B42-C6DF-4455-95D8-1F659D4925F9} - (no file)
O2 - BHO: (no name) - {DA82267D-2F5B-4DDD-A9A2-D0EC308A30C9} - C:\WINDOWS\system32\ddaya.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\vherman.essi\Local Settings\Temp\TICHD003.exe
O15 - Trusted Zone: *.akamai.net
O15 - Trusted Zone: http://V4.Windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O20 - Winlogon Notify: ddayx - C:\WINDOWS\
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as"
type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp
  Files.
• Then after it deletes the files click the Exit (Save Settings)
  button.

NOTE: Pocket Killbox will only list the added files it is able to find on
the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing

• CTRL + C (or, after highlighting, right-click and choose copy):

C:\132.tmp
C:\139.tmp
C:\149.tmp
C:\150.tmp
C:\15B.tmp
C:\171.tmp
C:\17E3.tmp
C:\18A.tmp
C:\18F.tmp
C:\WINDOWS\SYSTEM32\ddaya.dll
C:\WINDOWS\SYSTEM32\khfdbcd.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\SYSTEM32\mscro1.dll
C:\WINDOWS\SYSTEM32\ssqonnm.dll
C:\WINDOWS\SYSTEM32\txaihgvs.dll
C:\WINDOWS\SYSTEM32\uietsufd.dll
C:\WINDOWS\SYSTEM32\wwkkbxvq.dll
C:\WINDOWS\SYSTEM32\ayadd.bak1
C:\WINDOWS\SYSTEM32\gjjlm.bak1
C:\WINDOWS\SYSTEM32\xyadd.bak2
C:\WINDOWS\SYSTEM32\ayadd.tmp
C:\WINDOWS\SYSTEM32\xyadd.tmp
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\ayadd.ini2
C:\WINDOWS\SYSTEM32\dfusteiu.ini
C:\WINDOWS\SYSTEM32\gjjlm.ini
C:\WINDOWS\SYSTEM32\qvxbkkww.ini
C:\WINDOWS\SYSTEM32\svghiaxt.ini
C:\WINDOWS\SYSTEM32\xyadd.ini
C:\WINDOWS\SYSTEM32\xyadd.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue
(But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot run Windows Explorer and double check that all the files listed above to remove with Killbox were deleted. If you still find any of them, delete them.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Why did you uninstall Spybot? It provides very useful protection when you use the Ummunize feature and the bad download blocker (SDhelper) as stated in the READ ME. You have not active realtime antispyware blocking tool on your PC at all and even though Spybot is not a realtime blocker unless Teatimer (not recommended) is use. It does provide a small amount of protection and is worth having. Also you need it to do antispyware scanning periodically.

Why did you start using MSconfig to control startups again? We cannot fix things when you do this and we clearly specify not to do this in the READ ME. MSconfig should not be used to control startups like this on a long term basis. It should only be used for debugging. If you don't need those items, uninstall the software. If you need the software but don't need the items to load at startup, configure the software within its options to not load at startup or permanently fix the startup item using HJT. Then for anything else you need to load a certain time only, use a real startup manager program like: Startup CPL

You have several items stuck in MSconfig that were in my previous instructions to fix and they could not be fixed since you ran MSconfig.


You also did not tell me how things are working.