Virtumonde and Zlob

My wife and I had a house guest this past week who managed to infect our PC with Smitfraud, Virtumonde, and the Zlob viruses/malware just to name a few on last Monday, May 12th. When I got home from work Monday I literally had bugs crawling on my desktop and a blue background with a yellow text box that said 'You're computer is infected.'

I downloaded some of the usual programs to detect what was going on, Ad-Aware, Spybot S&D, and Spyhunter. I ran each of those a couple of times and they all picked up something different that was removed after the scan. After I restarted, I ran the scan again with Spybot and noticed that Smitfraud, Virtumonde (and the dll), and Zlob.downloader.vcd were still getting picked up on the system.

I came to your site for help and downloaded Smitfraudfix to take care of the Smitfraud malware. I followed all of the instructions and it worked beautifully. No more Smitfraud files or registry entries were showing up.

Next I tried the vundofix to remove the virtumonde. I ran it just like instructed but whenever I rescanned with Spybot after a reboot, it showed back up.

Then I went through your online malware removal process. I tried to follow everything to a 'T'. I uninstalled Spybot because I had previously loaded Teatimer and wanted to make sure I downloaded all of the programs that you had links to in case of a different software version. I did the CCleaner, superantispyware, spybot, malwarebytes, combofix, and HJT.

Once I finished, I reran spybot to make sure everything was clear after several reboots since I couldn't tell if it was still there or not. The malware wasn't doing anything crazy to my computer after I started your removal process, it was just showing up on the malware scans. Well nothing came up. I ran superantispyware again too just to be sure and it couldn't find any malicious files either. YAY! My computer is running about 3x faster now and Symnatec isn't going crazy with email scans.

I still wanted to post my logs and have you take a look at them since you guys are the experts and have the trained eye.

 

Attaching HJT zip file to thread.

 

Hi Razor79,
Welcome to Major Geeks!

Please do the following:


1) Please disable your guest account if this hasn't already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {3A7BB3DE-8B2C-4B66-830C-CF08052C3965} - C:\WINDOWS\system32\iifDVNfe.dll (file missing)
O2 - BHO: (no name) - {552FC9F6-B47F-4533-85FF-EA986C44CE39} - C:\WINDOWS\system32\cbXNEUmm.dll (file missing)
O2 - BHO: (no name) - {61CC212B-3982-4136-AAE3-F61589D11619} - C:\WINDOWS\system32\xxyvtTji.dll (file missing)
O2 - BHO: (no name) - {7C0C36D4-B1FA-4492-8B5A-9E1276C4B71E} - C:\WINDOWS\system32\qoMcaWmj.dll (file missing)
O2 - BHO: (no name) - {8320577B-C992-44D2-8F8F-24FBF9260A24} - (no file)
O2 - BHO: (no name) - {8A531450-E868-4B35-95F5-1CDA57E780DB} - C:\WINDOWS\system32\cbXPhghE.dll (file missing)
O2 - BHO: (no name) - {B0807ED0-7397-4C52-84B4-3390AC3FCB85} - C:\WINDOWS\system32\geBttuuT.dll (file missing)
O2 - BHO: (no name) - {BB6887B2-C153-4CBB-9E97-3F491BCDC438} - C:\WINDOWS\system32\byXNdcBR.dll (file missing)
O2 - BHO: (no name) - {F4CDE624-C819-4C55-AA2A-3A6680003CDF} - C:\WINDOWS\system32\fccbASIB.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


Do the following need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe


After you click fix, just close hijackthis.



4) Download and install Erunt. Use it to create a backup of your registry.


5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip and let me know if you got a success message for the registry patch (REGEDIT4).


Let me know how things are running now?

abri

 

My guest account was already turned off. I'm assuming this is the same thing as disabling it?

I removed windows messenger.

I ran HJT and checked everything you had listed, even the stuff under your red question. I don't know why that stuff was loading. I guess I downloaded a program and it had an option to look for updates and I left it checked. I would really like to streamline my running processes to get them down to a manageable level so I can hopefully notice when something is running that shouldn't be. That will probably never happen though.

I backed up my registry using Erunt.

I made the text file and copied everything in your quoted field just as you had typed it. I merged the file with the registry and got a popup warning from windows asking me if I wanted to add it to the registry. After hitting ok I received another window telling me that the merge was successful.

I ran CCleaner just as you instructed and it found a lot of cookies and files that had been deleted that it removed.

Finally I ran HJT and my logs should be attached.

I did get a pop up from Norton's after I ran the fix in HJT that said new restrictions have been created for something. About 10 minutes later I got another pop up from the task tray saying that InstallShield Update Manager needed to look for updates. I thought this was a little strange since I don't think I have ever seen installshield manager ask to look for updates.

Other than that, the computer looks and drives like it is in very good condition. Let me know if you see anything else that needs to be or can be removed.

 

Hi Razor79,

I missed one thing. Please do the following:


1) Delete this folder: C:\Program Files\Enigma Software Group



2) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe



Do you need the following to run at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


After you click fix, just close hijackthis.




3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ctfmona"=-[/b][/quote]


4) Run CCleaner.

5) When you finish, please rerun analyse.exe as you did above and make sure the 04 entry with cfmona is gone.

How are things working now?

abri

 

I deleted the Enigma folder.

I ran HJT and checked everything you have listed except these 2 choices were not there:

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


I created the fixME.reg file just as I did the first one with the 2 lines you wrote. When I chose 'OK' to merge it, an error pops up saying:

'Cannot import C:\Documents and Settings\...\fixME.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.'

 

Bad me. Let's try that again. Then complete the other steps after it as well.

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

 

Yes, that regedit worked. cfmona.exe is no longer in the O4 startup programs.

When I run CCleaner I still have a lot of cookies showing up that I remove every time. I don't know what keeps creating them.

I do have a question to help streamline my system now that I can actually see whats running. I want to stop a service and autoload, the Kodak program for example, since I hardly use it. The software doesn't have any options to keep it from autoloading, or running the services to look for updates, and this program takes an enormous amount of resources.

Can I use HJT to remove the O4 Kodak process and/or the O23 Kodak service?

I have also started going through your online directions for malware prevention. I downloaded online armor to use as my firewall and it shows svchost.exe tranmitting small amounts of information. Is this normal? It only uploaded a couple of kB's but I didn't know if it was suppose to be doing that or if it was some more malware.

Thanks for all your help by the way. You da man! I would have most likely had to format and start from scratch without your expertise. You guys should be helping Microsoft develop an OS that is secure and safe since they obviously can't figure out how to do it.

 

Hi Razor79,

Yes, it's normal for CCleaner to find all the junk left by websites, including all the cookies. You can also check your browser(s) settings to see how they are dealing with cookies, history etc. In Firefox you can look under Tools and Internet Options at the Privacy tab. Try out different settings for how long you want Firefox to keep your cookies. If you say to keep them until you close Firefox, then it will in essence be set to keep sessions cookies. In Internet Explorer, go to the tools and options and look for the level of protection. It can be set to low medium and high protection (a sliding bar that goes up and down). There's a settings button there and when you click on that, it will allow you to turn off the automatic settings and set your own if you want to. Internet Explorer is set to allow you the most protection for the least amount of interference from browsing and generally the default settings are okay.

Do you want the Kodak software otherwise? If not, you could uninstall the program altogether. If you want to keep it but just prevent it from loading, fix the 04 line in HJT. For the 023 line, do the following. Go to Start / Run and type in services.msc and click on okay. In the list of services that opens up, look for Kodak Camera Connection Software and click on it to highlight it. Over in the left part of the window, click on stop service. Then right-click on the Kodak Camera Connection Software and click on properties. In the Startup Type box set it to disabled.

You can rerun analyse.exe and see if it both entries are gone.

After you complete the above, you can follow the instructions for the final cleanup which will remove the logs and tools we had you put on your computer. You'll also be asked to wipe all your previous restore points and set a clean one. If you want to keep HijackThis (analyse.exe), then please create a folder in C:\Program Files called HijackThis. Move analyse.exe over there from the MGTools folder. Also, move the folder in MGTools called Backup. This contains the backups for HijackThis which will allow you to put things back in

abri

 

Thanks for everything! The system has been running better than the day we bought it. Life is back to normal and I actually started sleeping again.

I have disabled the often unused programs that we had running. My wife uses the kodak program to set up albums for her camera. She hardly ever takes pictures though so it hardly ever gets used. Still I don't want to just go and delete the whole program.

The cleanup went great and I've rebooted several times and had no viruses pop up after scans with a couple of the scanner programs. It looks like you won the war with our computer.

Thanks again for everything!

 

You're welcome!
Enjoy your computer!