Virtumonde??? - help!

I have had an extremely malevolent virus/malware wreak havoc on my network (three desktops attached to a netgear dsl router. I have already done two full restores, but am still trying to save the third machine. Four days (and about forty hours later) and I am still no further than where I started.

The problem is blocking almost everything. I was able to fire up Spyware Doctor, but its efforts to fix the problems just seem to make the malware more angry.

I tried to follow the Windows XP cleaning directions and got as far as running CCleaner (only after I copied from disc to the c:drive and ran it from there) on all user accounts.

Very difficult to even get mbam, SuperAntiSpyware and MGTools to even open up, let alone run. They are all being blocked. For instance, I get MGTools to open up in a black box (like a dos command box?) and it closed up/disappers within a second or two. MBAM won't even open (tried renaming, which at least got it to my c:drive, but won't run). SuperAntiSpyware won't run, even on alternate start. Tried the "gpedit.msc" workaround, but computer states that it isn't installed.

I would just save my data to an external hard drive and restore, but it won't recognize anything I connect. For whatever reason, it will let me write my data to my cd writer, but this is very slow, and only 650 mb at a time.

I have disconnected this computer from my network/internet, because I suspect that whatever it was/is spread and that is how all three got infected in the first place.

Any help would be greatly appreciated! :cry
I feel like I am about to lose my mind.

p.s. - I am running Windows XP SP3.

 

Also, I tried to use the "Botts"? method to clean this machine but could not get Process Explorer to run. When I tried to open it would flash the "start" screen and then disappear.

Also, a couple of unknown processes can be seen in task manager: "nozfx768x.exe" and "397270126.exe".

I have run several full scans with Spyware Doctor in normal mode and safe mode and safe mode w/networking, all to no avail. 100+ infections were found, with numerous processes, but no improvement after reboot. Also, was able to run MBAM in conjunction with Spyware Doctor on one machine, but that didn't seem to help either.

Thanks in advance for any advice.

 

Sorry, not trying to bump this thread, just adding additional information after another couple hours battling this thing.

I was finally able to get SAS installed. At approximately 1:00 into the scan, I get a blue screen error: PAGE_FAULT_IN-NONPAGED_AREA. This thing is really diabolical. I restarted and tried again three times, all with the same result.

I am unable to get MBAM to even open.

ComboFix opens in a black screen for a second or two. Occasionally I would get an error message that the Administrator has not granted permission to edit the registry. I am logged in as admin and can open regedit.exe just fine from the run box. I googled this problem and tried to manually edit the registry permissions. No luck, I still can't get ComboFix to stay open.

Everytime I restart the machine I get an error: "cli.exe - application error. The application failed to initialize properly 0xc0000076" Also, my "documents" folder opens up, along with IE.

I'm not sure this is helpful, but it's all I have at this point.

Thanks again for any help.

 

Sorry, don't mean to bump. I know I am only delaying things, but I thought it would be helpful to post the logs I was able to obtain.

After a little sleep and thinking a bit more clearly, I was able to get SAS to run in safe mode and not blue screen crash. I was also able to run Malware Bytes and ComboFix. Combofix, however, crashed writing the log, so there is no log. I am attaching the logs I was able to obtain. My system is still very slow, but it seems as though the steps taken have helped somewhat.

Thank you for your patience.

 

Thank you so much for the reply.

I did successfully add to the registry, as instructed.

I did run SAS and reboot. Log attached.

I did run MBAM and did fix infections found (or at least I thought I did--I clicked on fix errors, or whatever, and the process was completed). Log Attached.

I also ran MGTools, and the log is attached.

Unfortunately, after running SAS and MBAM, I have lost all internet connectivity.

This happened to me earlier, but I was able to go into Firefox and change the network connectivity settings to auto-detect proxy settings, which re-enabled by connectivity. I suspect the hijacker had changed the settings to manual proxy configuration, HTTP Proxy: localhost Port 7171, No Proxy for: localhost, 127.0.0.1. I have no idea what the manual proxy configuration was, or how it was changed from auto-detect, but I sure didn't do it. At the same time I was experiencing this problem, I also could not turn off the firewall in Windows Security Center, which I suspect had been blocking my network connectivity. The turn off firewall option was greyed out.

Now my Windows Security Center is showing both firewall and anti-virus as unmonitored, with the error message "windows cannot start the windows firewall/internet connection sharing service". I am unable to start the ICS using the prompts and I have no idea how to start this manually. Still no connectivity after reboot.

I hope I have followed all steps properly as instructed. Thank you again for your willingness to help.

 

Thank you again for your help. I was afraid this is what you would recommend.

My question at this point is how did I carry out your recommendations?

I have already done system recovery on two of my three computers, and the viruses/malware are seeming to come back. I have taken a couple of programs I use off of one of my infected computers, copied them to a usb hard drive, and re-installed on recovered systems after running complete scans of the usb hard drive with SAS, Spyware Doctor, Norton, and Malware Bytes. I am not sure if this is what is causing me problems, or not. I do not have install disks for some of these programs, which were purchased online, downloaded and installed. I no longer have the download (zip) files.

Also, I am not sure what you mean when you say I need to "delete all partitions, repartition, format partitions and reinstall Windows".

What I have been doing is inserting the system recovery disks in my DVD drive and doing a system recovery from them. Is this not sufficient. Could you give step by step instructions as to deleting the partitions, etc.?

Is it time for me to call in an IT person? Will they know exactly what to do?

Thank you again for your help and advice.

 

Thank you, Thank you, Thank you for all your help.

I can't tell you how appreciative I am just knowing that there are people out there such as yourselves who are willing to help other people in need.

Although I hope and pray that I am at the tail end of this almost two-week nightmare that has frozen me and my business in my tracks (knock on wood), I don't think I could have gotten through with my sanity intact without at least the hope that someone out there was willing to help.

At times I felt as if I were going insane, running full scan after full scan after full scan of every conceivable anti-virus program, hour after hour after hour, only to have the malware come back again and again and again.

I went through numerous complete system recoveries only to become reinfected over and over again.

Your advice to delete all partitions and not install any executable files from the infected computers was good, as far as I can tell, so far so good, anyway. I am painstakingly trying to restore my systems piecemeal from uninfected backups/drives here and there.

A couple days ago someone put me in touch with the network security guy at our local community college and he advised that there is some really nasty stuff out there right now that even Microsoft and the big security firms can't defeat. My computers were being reinfected just by inserting an infected thumb drive and doing nothing! The autorun would kick on as soon as the drive was inserted and start injecting worms and dropping payloads (not sure about the lingo) and all hell would break lose. Hours and hours of restoration work completely wiped out in a brief second of irreparable harm. The network security guy told me not to feel too bad, even people who do computer security for a living cannot defeat this malware (he specifically referenced the new Conflicker worm, even though I don't believe that is what I had, but who knows?). This did give me comfort, knowing I was not alone--the only insane idiot on the planet dealing with this mess. He indicated that thousands of people (or perhaps millions) were suffering the same fate.

I continue to ponder why people would perpetrate such evil? Is it the security software people brewing this stuff up for job security? (Like the firemen in so many movies who turn out to be the arsonists--no offense meant to any of you fine firemen out there--thank you for your service).

I could understand if there was ransom involved, like the Somali pirates. Believe me, if someone called me and demanded ransom to release me from this plague I would have gladly paid it.

My computers were rendered totally inoperable. What use could they have been to the perpetrators?

Are any of these people prosecuted? Is it even a crime to manufacture malware and infect millions of computers?

I am convinced we need a little justice here. If there is no deterrence, these criminals will propagate just like their devilish diabolical creations.

If anyone knows where these people live, I would be interested in going to pay them a visit, perhaps with my trusty Sig 5.56, perhaps loaded with some 75 grain hollow points manufactured in Serbia, which is probably pretty close to their home turf. I am hoping the US military gets serious with these people. Maybe Delta force can pay them a visit. We are talking about cyber-terrorism here, as far as I am concerned. But I digress.

Thank you again for your help and for offering hope to the afflicted. Without hope, we surely all would be lost.