Battle with Virtumonde and Friends

Hey!

First of all, I just want to express my IMMENSE gratitude for your detailed 'Read Me' process and cleanup etc. Went through it all today after discovering I had that pop-up Virtumonde virus on my machine somehow, along with SmitFraud-C and a few less malicious ones.

I just wanted to include my logs for you to look at, as I'm not 100% sure that everything is a-ok yet or whether there's some additional stuff I may need to do based on what the logs say. But otherwise, I'm hopeful that the main issues have now been blown away and the system is all good (it seems okay so far!)

I zipped up the cleanup process logs (hope that's okay) so I didn't have to double post.

Really appreciate any further assistance you could give.
Thanks SO much,
Kris

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

First, uninstall your current versions of SAS & MBAM. Once uninstalled, reboot and download the new updated programs below. Once downloaded, install, update and run full scans with both. Attach the new logs once complete.

Also, download the newest version of ComboFix & MGTools below and once complete with the two scans above, run this once more as well.

Your next post should contain new logs from MBAM, SAS, ComboFix and MGTools.

MGTools.exe

ComboFix

Malwarebytes Anti-Malware 1.33

SUPERAntiSpyware 4.25.0.1008

 

Have downloaded all software, followed instructions as per your request and re-run everything.

Attached new logs for the 4 you mentioned.

Thanks heaps.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hey bjgarrick,

I was up to step 2 using combofix to remove the malware files. It seems to be jammed on 'scanning the machine for infected files'. The combofix command prompt has said: "Scanning for infected files ... This typically doesn't take more than 10 minutes. However, scan times for infected machine may easily double."

Combofix has been running on this same thing for 16 hours now and I'm now sure what I should do.

I also cannot complete step 4, as I have Windows Vista.

 

Try to close it and start it again.

It does work on Windows Vista now so I need to change that, you can run this or either CCleaner.

 

Have tried to close ComboFix and managed to do so, but had to restart the machine.

Then restarted ComboFix to complete the step again, and it did the same thing - continued to appear to be stuck on the same "Scanning files" bit. Then uninstalled ComboFix as per the uninstalling instructions on here, rebooted. Re-downloaded the link from this thread and ran the step again. Same thing happened. It can't seem to get past that bit for some reason.

 

I ended up skipping over the ComboFix step for the time being and went on to complete the rest successfully - although my firefox browser has gone a little weird after the ATF Cleaner. For example, when using the Firefox browser to reply to this, I couldn't attach anything as the 'Manage Attachments' button wasn't showing up even if I refreshed etc. It was fine before ATF, however.

In the meanwhile, I have attached the MGLogs in case that helps.

Thanks for all your help so far - appreciate it a lot!

 

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

Next, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Once you complete the above steps, try again to run ComboFix and attach the new log once complete. Also, please run MGTools again and attach a fresh set of logs.

 

Ran through all those steps successfully - although somehow something managed to change the lettering of my drives. C drive is still the OS, but D drive, which was my data is now E drive and G drive which was the NVCACHE drive is now D drive. Is that fixable or possible to change back at all?

Have attached all logs as per requested.

Thank you SO much for all your help so far - I appreciate it more than you could imagine!

 

We need to use ComboFix once more to remove some leftovers.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Once you complete the above, attach the log from ComboFix. Also, run "C:\MGtools\GetLogs.bat" and attach a new set of logs.

 

Having that same problem with ComboFix as before - will not make it past the scan bit when loading the script file in. Has been stuck on the 'scanning files' message without doing anything for two hours so I had to exit out and reboot. Then tried again, and it did the same thing.

 

Download a fresh copy of ComboFix and try it once more.

 

If you still can't get ComboFix to run properly, just run the below.

Run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

Once you complete the above, let me know how things are running. Also, please attach a new set of logs from MGTools.

 

Re-downloaded and tried again, but couldn't get it to work. Still stuck on 'scanning'.

Ran avenger and MGTools and have attached logs.

Things seem to be running okay - there's not as much lagging going on anymore, problems on start up and rebooting have been fixed. There's a definite improvement!

 

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks so much for your time and effort in helping me fix this thing, bjgarrick!

I REALLY appreciate it HEAPS! No way I would of been able to do it without your help!

Thanks again

 

You're Welcome!

Surf Safely!:major