Virtumonde (and ..?) - help needed

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

 

I strongly recommend that you attach all of the requested logs. Most Vundo infections will leave a lot of extra baggage around that always requires manual removal.

 

I need the requested log from MGtools. This is the C:\MGlogs.zip file.

 

You are in pretty good shape. We only have a little to do. You must have caught the infection very early.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

After clicking Fix, exit HJT.

Now delete the below file:
C:\WINDOWS\BM236a2adc.txt

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!



Observations:

• You have both Spy Sweeper and Spyware Doctor installed. I would recommend only using one of these because they will slow your PC down and you can have conflicts between them just like with antivirus programs.
• You have an old version of Spybot installed and should update.
• You have an old version of SpywareBlaster installer and should update.

 

You're welcome.

Final instructions appear further down in this message.

Some programs will allow automatic updating. Spy Sweeper as you know does. Spyware Blaster will only autoupdate if purchased but it is not a scanner anyway. Spybot does not autoupdate. You antivirus program should get auto updates. As far as scanning, some programs allow you to use a built-in scheduler to create tasks for when they are run. Spy Sweeper does this and NOD32 probably had the feature too. For others, you could probably create a Windows Task yourself to run weekly. There are some programs out there that attempt to get updates for many programs automatically but I don't recommend using them as they add to the additional waste of system resources since they always have to load and run at startup. Personally I prefer to do my own updating so that I know when the system is changed (due to the update) and if something strange starts to happen, I then know what updates may have caused an issue. With autoupdates running without your knowledge, you would just be thinking that you have not changed anything that could be causing your system to behave improperly.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combo-fix" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

No! System Restore is not a problem as my last message will take care of that and the second item in that snapshot is just an MP3 that you downloaded. I cannot read where anything after that is being detected but if they are in System Volume Information they are not problems. Also if they are in one of the Quarantine folders they are also not problems. Finish my final instructions and see where things stand.

 

You're welcome. Surf safely!

 

We do not close threads since only the creator and one of the staff here can reply to threads in the Malware Forum. Thus no one can hijack a thread. We know when a thread is complete by being the last to post and then we just let it slip down out of sight. Thus if you do not have the need for any more help it would be best to not post anymore now.