virtumonde help !!!

hi my computer has been infected with virtumonde scans of adware se and spy sweeper find it but dont remove it i would appreciate help asap thanks

 

H rovrs,
Welcome to Major Geeks!

Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs when you get done. Virtumonde is a form of malware which requires some manual removal of files and when we see your logs, we'll be able to make up a set of instructions that will be specific to your computer and its problems.

Thanks.
abri

 

heres the first 3 logs

 

heres the last log

 

Hi rovrs,



1) Please go to the following folder and delete the contents. You may have to delete them a few entries at a time. Delete everything Windows will allow you to delete:

C:\Users\Thomas\AppData\Local\Temp\
C:\Windows\Temp\

2) Please disable your guest account if this hasn't already been done.


3) Go to add/remove programs and uninstall the below:

GameSpy Arcade
Java(TM) 6 Update 3
Java(TM) 6 Update 5


4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: DZTOOL - {0CB67C9D-5E1F-4963-93D1-F1D3B78F0313} - C:\Windows\system32\blingen.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqPFYQK.dll,#1
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Thomas\AppData\Local\Temp\lJATlIay.dll,#1
O4 - HKCU\..\Run: [BMa390837c] Rundll32.exe "C:\Users\Thomas\AppData\Local\Temp\khhwdemo.dll",s
O4 - HKCU\..\Run: [a0a3b0e0] rundll32.exe "C:\Users\Thomas\AppData\Local\Temp\fmuhbijt.dll",b



Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9


After you click fix, just close hijackthis.


8) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\Windows\system32\ssqPFYQK.dll
C:\ProgramData\BMa390837c.txt
C:\ProgramData\BMa390837c.xml
C:\ProgramData\pskt.ini

REGISTRY::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
"BMa390837c"=-
"a0a3b0e0"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"MSServer"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB67C9D-5E1F-4963-93D1-F1D3B78F0313}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

there is only one log i attached because it said when i was uploading the combofix one that it was the same? and do i need to do anything else or has virtumonde been removed?

 

Hi rovrs,

The log for combofix is the same, because Combofix didn't run . I will give you a new set of instructions now and then I will have you reinstall Combofix over the old one and then we'll try it again.

Please begin as follows.


1) Start by downloading and running Process Explorer. You may or may not find the following, but we will look for them.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\Users\Thomas\AppData\Local\Temp\lJATlIay.dll
C:\Users\Thomas\AppData\Local\Temp\khhwdemo.dll

After you have killed all instances of any of the above DLL's or exe's under winlogon click ok. (If you do not find these DLL's or exe's, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\Users\Thomas\AppData\Local\Temp\lJATlIay.dll
C:\Users\Thomas\AppData\Local\Temp\khhwdemo.dll

After you have killed all instances of any of the above DLL's or exe's under Explorer click ok. (If you do not find these DLL's or exe's, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\Users\Thomas\AppData\Local\Temp\lJATlIay.dll
C:\Users\Thomas\AppData\Local\Temp\khhwdemo.dll

After you have killed all instances of any of the above DLL's or exe's under iexplore click ok. (If you do not find these DLL's or exe's, just continue on.)

Now just exit Process Explorer.


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Thomas\AppData\Local\Temp\lJATlIay.dll,#1
O4 - HKCU\..\Run: [BMa390837c] Rundll32.exe "C:\Users\Thomas\AppData\Local\Temp\khhwdemo.dll",s

After you click fix, just close hijackthis.


3) Next, please go to Using Combofix and reinstall it to the desktop. Allow it to install over the old copy and do not rename it.

4) After you complete the above, I would like for you to copy these instructions and the instructions in Post 5, Step 8 to Notepad where you can find them, because I'm going to ask you to disconnect from the internet before you continue. You can also print them out if that's easier. Then I want you to disconnect from the internet and disable all of your security software - antivirus, antispyware and firewall.

Then run the Combofix instructions again in post 5, step 8. Be sure that the Notepad file you create when you copy/paste the contents of the box into Notepad is saved to the same location as Combofix. This should be the desktop. The name of the Notepad file will be CFScript and when you have finished storing it and closed it, please close all open windows so you can see the desktop. Then point at the CFScript.txt on the desktop with your mouse and drag it over on top of the Combofix icon which is a red disk with a white X in it. This will cause Combofix to run, but it will run with the specific instructions you are giving it.

5) After you finish the instructions in Post 5, Step 8, please run CCleaner.

6) Then re-enable all your security software - antivirus, antispyware and firewall BEFORE reconnnecting to the internet.

7) After you reconnect, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

heres the logs u asked for

 

Hi rovrs,

None of the files that should have been removed by HijackThis (analyse.exe) were removed. This usually means that something is blocking the fix and this is often the security software. Please try running the same set of instructions again, only this time, copy them to somewhere like a notepad file so you can see them. Then disconnect from the internet and disable all your security software including antivirus, firewall and antispyware programs. Then try going through the instructions again and see if you are able to remove them this time. Be sure to re-enable your security software before you reconnect to the internet.

When you're finished, rerun the C:\MGTools\GetLogs.bat by double clicking on it and then attach the new MGlogs.zip which you'll find under C:\

Thanks.
abri

 

sorry for a late reply heres the log you asked for

 

Hi rovrs,

That looks better. There are some temp files you keep getting that I want to get back to you about. I'm not sure what they are.

Other than that, your logs look clean. If your computer seems to be working all right please go ahead with the final cleanup instructions in the box below:

abri

 

thanks for the help seems to be running fine now