antispyware-reviewsdotbiz + virtumonde

Hello,

I recently picked up the antispyware-reviews.biz malware and probably some other malware too. I ran al the steps in the readme, but i discovered this morning that my email adress has been sending spam ( i think it was sent before i ran the readme) . Could anyone check my logfiles to make sure that i've removed all the threats?

Thank you in advance,

Tom

 

Re: antispyware-reviews.biz + virtumonde

Hi TomDoes,
Welcome to Major Geeks!

Did you run SuperAntiSpyware? If so, and it found anything, please attach the log for that as well. If it didn't find anything, just tell us. You do have malware on your computer. Please avoid using it as much as possible and avoid any unnecessary reboots until we can get a set of instructions to you.

abri

 

Re: antispyware-reviews.biz + virtumonde

Here's the SAS log.

 

Hi Tom Does

Please do the following:

1) Please disable your guest account if this hasn't already been done.


2) Go to add/remove programs and uninstall the below:


Java(TM) 6 Update 2"
Java(TM) 6 Update 3"
Java(TM) 6 Update 5"
Java(TM) SE Development Kit 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Java DB 10.2.2.0 <-------- after running AVenger below, your computer will reboot automatically and I will give you the download sites for the different Javas.



3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {11AD3CD6-3E2A-B489-EA36-0916198154D3} - C:\WINDOWS\system32\qczexdnd.dll
O2 - BHO: (no name) - {70A5C1E0-D96E-2AFB-340B-056C59ECAC1F} - C:\WINDOWS\system32\ofzroayp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hahseisi] C:\WINDOWS\system32\hahseisi.exe
O20 - Winlogon Notify: iifgExuv - iifgExuv.dll (file missing)

Do you need for the following to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.



9) Install the current version of Sun Java (Java TM) from: Sun Java Runtime Environment
Then go to http://www.sun.com/download/index.jsp?tab=4 for the newest version of the Java DB


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log, whichever we used. Also, please let me know if you got a success message with the REGEDIT4 registry patch.


Let me know how things are running now?

abri

 

First: Thank you for the quick response!

Second: I completed all the steps, the merging went succesful.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" --> this didn't exist after uninstalling.

O4 - HKLM\..\Run: [hahseisi] C:\WINDOWS\system32\hahseisi.exe --> this didn't exist anymore either

It seems to run fine, but it seemed fine after the readme and it wasn't so i guess the logs will tell how it went.

Third: Here are the logs

 

Hi TomDoes,

Looks good! Please go through the final cleanup instructions which will remove all our tools and logs and will show you how to set a clean restore point that you can come back to. Also, it would be a good idea to read through the How to protect yourself from malware thread. It's an easy read and has some good suggestions in it for how to get the best set of protective software for the least amount of resources.

abri