help with virtumonde!

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to complete ALL the steps in the instructions not just CCleaner and Spybot. Please follow all the instructions given and follow them in the order given and then attach the requested logs!

 

You still have not attach the logs that are requested in the READ & RUN ME instructions. We do not ask for a HijackThis log.

Do you still have malware problems? If yes, you need to attach the logs that were requested.

- ComboFix
- AVG Antispyware
- MGlogs.zip from running MGtools.exe

 

No it is not! You need to complete all of the instructions and attach all of the logs that were requested.

 

That's because ComboFix did not completely run. If it had, the log you should have been attaching would be named C:\ComboFix.txt not log.txt. Where did you get that log from? What folder? Where did you run ComboFix from?

You can fix your clock yourself from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.


As you will see from below, you definitely were still infected.


Let's begin by removing a service left over from Symantec!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteCLTNetCnService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now uinstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {6B1E542B-0CAE-4673-8BDE-A644271F6878} - C:\WINDOWS\system32\vtutu.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Vinesh C. Maharaj\Local Settings\Temp\

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

That is not a trojan. The reason Avenger is not working is because you are blocking it from working. Shutdown all protection software and also allow Avenger to run properly. You need run the previous procedure again starting with the Avenger fix.

 

Delete the below folders:
C:\Documents and Settings\Vinesh C. Maharaj\Application Data\Viewpoint
C:\Documents and Settings\Vinesh C. Maharaj\Local Settings\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Common Files\Viewpoint

Now delete the below files:
C:\Program Files\bisrymmj.txt
C:\Program Files\ffngdhqy.txt
C:\Program Files\pjglmowj.txt
C:\Program Files\tjdemyto.txt
C:\cnjpftje.bat
C:\vrdexhke.txt
C:\vvagyiuq.bat
C:\yyvbeegc.txt

Other then the above your logs are clean.

Were you having this problem before the malware problems. This is not due to any current malware. It could be that something related to Windows Installer is corrupted. Possibly a registry key. You could try running the below to see if it locates any issues to cleanup:

Windows Installer CleanUp Utility


Other than the above I would suggest that you post a question about this in the Software Forum. If you don't use Sonic, then you could also uninstall it.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

After you complete ALL of my final steps then you are done.