virtumonde and privacysetB

im almost done with the Read and Run (hopefully i did not missed anything)


but im stucked on this

after running mgtools.exe

then nothing more... nothing happened
(the last thing is in CMD then "press any key to continue" something like that)


by the way here my 3 logs
(only 3 coz i got problem on MGtools)

hope for your kind assistance


thanks

 

Hi infoseeker,
Welcome to the Malware Forum!

The press any key message means it's finished. Please hit the Post Reply button here for your thread and using the Manage Attachments button, look for MGlogs.zip directly under C:\

You get the error you mentioned when your computer can't produce one of the logs, but this doesn't prevent it from completing the others. Just attach the zip file.

Thanks.
abri

 

ahhhhhhhh ok ... did nnot noticed that...

here is my attachment



BTW- thanks a lot abri (its a long time that im not here :wave)

 

Hi Infoseeker,

Yes, it makes us happy if people do not come here too often! :-D

1) Please see if you can find this file and delete it. I don't know if it will have the + sign for the name, so check the date and time information to verify it. The size should be 0.

C:\WINDOWS\system32\+ (date and time: 2008-06-04 11:21 . 2008-06-10 11:23)

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O20 - Winlogon Notify: efcCtrRJ - efcCtrRJ.dll (file missing)

After you click fix, just close hijackthis.

3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::
C:\TempEI4

FILE::
C:\WINDOWS\BM53f4a18c.txt

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCtrRJ]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

ROFL :cry


btw here is my log again

thanks



edit: BTW

i cant delete it/shred it
i even used moveondelete but no luck

 

Hi infoseeker,

I'm afraid to have one of the tools delete it, because last time I ran into something like it, I had combofix do a LOOK command, and combofix ignored the character which was a ! and gave the contents of the entire System32 folder. Can you imagine me having you delete your entire System32 folder? :-D
Oh, and while I'm asking about it, did it have the name + ? Or did you end up finding it with the date and time stamp?
I'll take it up with chas and see if he has some ideas. It certainly doesn't look like something that should be there. Any chance you can rename it? If you can get into the rename function, try to add .zzz to the end of it.

Also, would you upload one of the files in your C:\TempEI4 folder? Unless you zip them, you can probably only upload one that ends with .log.

abri

 

thanks again... ill wait for the other idea you got :major

 

Hi infoseeker,

Never a dull moment. I tried to open your zip file and it is corrupt or damaged. I want to talk to you first about the + file and then about the zip file.

chaslang noticed that you may have installed two pieces of software yourself recently, and that one of them might be related to the + file. The more likely of the two is Password Protect USB. The other one is GiPo@Utilities.

Password Protect USB 3.6.1

Can you get to properties and see if this might be the case? Otherwise, you could also see if the + belongs to it by going to add/remove programs and uninstall the program. After you reboot, see if the + is gone. If so, then you will know that the file is no more harmful than the program itself and that it belongs with the program.

As for the damaged zip file, it might have been damaged if you tried to upload when the site went down yesterday. Please try zipping it again but use one of the other files, and I'll see if the new one is the same or okay.

Thanks.
abri

 

hi abri-

im in the office as of now- so i will try to answer some of your query

download- i can download it here (i done already)- and i will post it here what is there

EI41- notepad

EI43- notepad also

but there is two file that are unreadable
(ill attached it again)

regarding
GiPo@Utilities. - this is the moveondelete that i try to delete "+"

Password Protect USB 3.6.1- when i get home this evening ill uninstall this and see if it will help


thanks again abri

 

i just arrived in my nipa hut home---

+ - its belong here C:\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.exe -f "%1"

does it affect? or do i need to uninstall the program?

 

Hi infoseeker,

If it belongs to that program, I think it's okay to leave it. I want to still find out about that one folder you gave me the contents for. How is your computer running?

abri

 

my pc runs ok now-

now i think i can edit my boot mode- msconfig - services (blackviper method)


thanks a lot abri

 

You're welcome InfoSeeker,

I'll still get back to you about that one folder, but you can go ahead with the final clean up instructions now. I will leave it up to you whether you want to get rid of your previous restore points altogether. In anycase, wait for a few reboots after you've uninstalled all the MGTools to make sure your computer is working okay, before you set a clean restore point.

If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri