Virtumonde Causing Problems

Spybot S&D says it cannot remove Virtumonde.dll & still can't after reboot and scanning again. I have followed "Basic computer maintenance steps" and run McAfee, Adaware & Spybot again. Then I followed the "Special Removal Procedures" for Virtumonde aka Trojan Vundo Removal. Below are the requested logs from vundofix and hijackthis. I am a newbie at using your forums, but have found the information helpful thus far. Let me know what my next step should be. Thanks!

 

Good thing I waited til the weekend to do all this. Guess I thought I was done after the "Virtumonde aka Trojan Vundo Removal steps," but this time I repeated everything all the way through "Read & Run Me First" ending with the completion of Step 2 in "Windows XP Cleaning Procedure."

It will take a few days of use to know whether or not I am clean, so I have attached my logs to get your opinion on whether or not I should go ahead and do Step 4: Toggle System Restore. See logs attached.

Also, if you have any advice on the following:
1) I've had a hard time finding options in AIM and MySpaceIM to control autostarting them when Windows starts. Of course I don't want them to -- really slowing things down. Most other "auto start" items I have found the controls for and changed them.
2) A rotating blue square icon is also at the lower right with the other autostart icons. It has a mssg. "dlsmgr - Memo Ready for Display" attached to it. Is this cause for concern? From what I have googled, this is a program that my computer needs rather than malware. It is bugging me.

Thanks so much for your help thus far. I already feel better about my pc, even if not completely done yet. You are a pc wizard!

 

Hi NeedHelp 2008,

Your system is far from clean. Please do the following and then I will ask you to get a new set of MG logs.

Go to add/remove programs and uninstall the following:

Viewpoint Manager (Remove Only)
Viewpoint Media Player
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)

Once you've uninstalled those, please put your computer into normal startup mode. To do this go to Start / Run and type in msconfig and hit ok. In the screen that comes up, please check the box next to normal startup and click on accept and ok.

Once your computer has booted up in normal mode, please go to the MGTools folder under C and find the file called GetLogs.bat. Doubleclick on this file and allow the program to run until it is finished. Come back here and make a new post and attach the new set of MGlogs.zip which you'll find when you hit the manage attachments button by browsing to the files just under C:\ The MGlogs.zip are just above the superman icon.

 

You must be right! My internet connection is so sluggish today and my desktop icons still disappear and then reappear (I think a sympton of Virtumonde or other malware). Anyway, I had been conflicted about removing Viewpoint earlier, but I have now removed it and followed the other steps you provided.

The only glitch: When I run msconfig, the Normal option is already selected. When I try to Apply/OK it, I get this message: "System Configuration: An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified change." When I click OK, it still reboots. So I think I'm starting in Normal mode, but this message makes me wonder. I never use an administrator mode or login - I wouldn't even know what password to use. This is just a simple family pc - no multiple user accounts.

Attached is the log as requested. Thanks in advance for your assistance.

 

Hi NeedHelp,

Your computer has restrictions on it which may account for your not being able to change to normal startup mode. I'll have you try again just before you run the MGTools.

Your computer has been infected for some months.

Is this folder on your desktop one which you created? If not, please look inside of it and tell me what's in it. Do not click on any files.

Tblshtng


Now please do the following:


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger If you aren't able to run it, wait until after completing the next step and then run it again.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: {52582bea-80e4-c3aa-da94-6a61826de3d5} - {5d3ed628-16a6-49ad-aa3c-4e08aeb28525} - (no file)
O2 - BHO: (no name) - {6104EC23-0A52-4DB7-968D-86AD1DB83B87} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [djohn] c:\windows\system\bin\djrunner.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O8 - Extra context menu item: &Search - ?p=ZUxdm080YYUS
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

Did you create the following restrictions? If not, please fix them as well.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present


Do the following belong to programs you know or want to keep? If not, please fix them as well.

O22 - SharedTaskScheduler: bothrops - {1977ce08-a38f-43db-a856-f4aa6122131b} - (no file)

After you click fix, just close hijackthis.

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6104EC23-0A52-4DB7-968D-86AD1DB83B87}
• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

5) Now go to Start / Run and type in msconfig and click on ok. In the window that opens up, see if normal startup mode is checked. If it is, just exit the window. If it is not, check that option and then click on accept and ok.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I followed all suggested procedures. I did create the Troubleshooting folder on the desktop to keep notes from troubleshooting efforts I've taken in the past. So no worries there.

Had printed the instructions and didn't catch that "Disable/Remove Windows Messenger" was a link, so I removed with Add/Remove the Windows Live Messenger at that point. No problem, I don't use that anyway. After the analyse.exe step, I did run the "Disable/Remove Windows Messenger" and I guess it ran. It was really quick, so was hard to know if it ran or not.

All else went smoothly. Logs are attached. Let me know what's next. Ya'll are the best!

 

Hi Need Help,
If your computer is running better, you can go ahead with the final cleanup instructions in the box below.

abri

 

Abri-
I believe my pc is doing better now. I followed the steps you gave to cleanup and am working on the "How to Protect Yourself .. . " I think they will be useful tips. Thanks again. I know who to turn to if I have problems again, and I will recommend Majorgeeks.com to others!!

 

Thanks Need Help!
Best of luck to you and your computer!
abri