Thank you Chaslong/MajorGeeks good bye Virtumonde, Trojan.Agent.AOY, LOP, etc

Discussion in 'Malware Help (A Specialist Will Reply)' started by nicegirl030, Dec 7, 2007.

  1. nicegirl030

    nicegirl030 Private E-2

    Hi, this is my first post, not sure if it's in the right spot but...

    I was infected with a ton of malware, trojans and viruses. I had the yellow blinking yellow triangle and things got worse before they got better. I had to do the scans more than once.....in normal computer start up mode, in safe mode, connected to the internet, not connected to the internet and I FINALLY GOT IT ALL!!!!!! It took me 5 days after discovery, and part of it taking so long was I hadn't uninstalled all the possible malware i.e. viewpoint and disabling Windows Messenger helped (not to be confused with MSN Messenger) although I did disable that also. Also, I had to run Combo Fix twice and the MG tools twice. I must say that SPY Bot was consistantly pulling stuff out when AVG couldn't. But AVG also pulled it's weight by removing LOP. Anyway, just my experience, just read and followed instructions exactly. What a nightmare, I am protected now, I didn't have Anti-Virus for 4 years and became infected in the worst way in November of this year.....a lesson learned.

    Anyway, to the individuals who help us on this site your time and effort are so appreciated. THANK YOU!!!!! :heart:heart:heart
     
    nicegirl030, Dec 7, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm happy to hear our procedures help you out, however if you really had a Virtumonde infection, it is advisable that you attach the logs from the READ ME so we can check to make sure it is really gone. Vundo infections can leave dozens of files laying around that will not be detected by malware scanners. By looking at your logs, we can tell you if you are still infected.
     
    chaslang, Dec 7, 2007
    #2
  3. nicegirl030

    nicegirl030 Private E-2

    Okay, let me attach them for you. I wasn't trying to bother you because I see you are busy. From what my experience is Virtumonde it is not something that stays silent or is to be ignored for long. It shows its presence soon enough. I do have some sort of an updater in Control Panel that comes back after I delete but other than that my processes look whiter than snow..hehe...anyway...let me attach them....once I figure out how to....I've saved them, it's just a matter of attaching them now.

    I've been on the internet for 2 nights now, no re-direction to different sites, no pop-ups, no weird processes running, no slow computer...nothing

    In fact, I wanted to mention my computer is running faster than it ever has... anyway, will attach files soon....
     
    nicegirl030, Dec 8, 2007
    #3
  4. nicegirl030

    nicegirl030 Private E-2

    Chaslang, this is what I could get. I cannot get the AVG log from the ANTI SPY it won't let me save the report (yes I followed the steps to have a report run after the scan but the "save report" buttton remains not an option). Weirdest thing. It saved a report from the 4th though. However it was on the 6th or early morning 7th of December that I finally got the "all clear" in that there have been no problems.

    Check these out, if I need to I'll find a way to get the AVG log.......

    P.S. I ran the Virtumonde tool remover and it didn't remove or detect anything. However, running SPY Bot afterwards detected Virtumonde and removed it. After that I ran Combo Fix and finished up the procedures set forth and there's been no problem since. Crossing fingers, that I'm done..if not though, I'm ready to see this through til I am.......
     

    Attached Files:

    nicegirl030, Dec 8, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We don't actually ask for HijackThis logs because separate one are not needed. We do however need the MGlogs.zip file that is created. It actually already contains a HijackThis log and 4 other logs. This is the most important log in determining if you are still infected. Having VundoFix or other tools say you are clean is not a valid indication of being clean. Neither is the fact that you have no symptoms. If you don't get rid of all the hidden files, your chances of reinfection are still there.

    Please attach the C:\MGlogs.zip file which is requested.
     
    chaslang, Dec 8, 2007
    #5
  6. nicegirl030

    nicegirl030 Private E-2

    Got it, here you go....
     

    Attached Files:

    nicegirl030, Dec 8, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must be either really lucky or you just happen to catch the Vundo infection before it spread too much. It is mostly gone; however there are some other problems to resolve. I see you logged in. Hangon while I finish creating a fix.
     
    chaslang, Dec 8, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKCU\..\Run: [Poibvi] C:\WINDOWS\SYSTEM32\??crosoft\n?pdb.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/17766a9903ca59472805/netzip/RdxIE.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/144e3246225a91ca4a21/netzip/RdxIE601.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.9/ttinst.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

    After clicking Fix, exit HJT.

    Now reboot

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.
    Make sure you tell me how things are working now!
     
    chaslang, Dec 8, 2007
    #8
  9. nicegirl030

    nicegirl030 Private E-2

    Okay I did as you said and here is the new log, let me know what you think.

    Thank you for taking the time out to review them, it is appreciated. You are right I am lucky once I found this site and your instructions though, I went to town with the scans....I'm so grateful. Good to know there are people doing good out there and not just the malicious type....:)
     

    Attached Files:

    nicegirl030, Dec 9, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Dec 9, 2007
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds