Virtumonde is on my pc

CDF69 · Jul 31, 2008

as you can see, i'm a new guy...came across this forum when i was tryin to find out how to get rid of this Virtumonde adware/virus crap...i got it less than a week ago while downloading a movie torrent....stupid me :mad...should have paid attention to the comments...but i didn't and now i have this Virtumonde virus....i've seen some of the other people's threads and i'm having the same problems...any help is GREATLY appreciated!!

i've went through your steps (READ & RUN ME FIRST. Malware Removal Guide) of cleaning my pc....ran through all the programs...got all the programs and logs sittin on my pc...i will attach them with this post (in case you need to see them now)....

thank you thank you thank you
chris

CDF69 · Jul 31, 2008

here is the super spyware log...

TimW · Aug 1, 2008

It looks like the scans took care of it.....let's just do this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now tell me what malware issues you may still have.

CDF69 · Aug 2, 2008

well i couldn't get the firefox tab to work for some reason on the ATF cleaner...so i just went through firefox itself and emptied all private data (i'm guessing that is what ATF is supposed to do?)

i've ran superspyware, spy sweeper, and spybot search and destroy at least once a piece doing a full scan...and its not bringing anything up but maybe a cookie or two...but no virtumonde is coming up....so i'm assuming that is taken care of...haven't seen any popups on firefox, my windows security center is no longer telling me that automatic updates is off...

so *knock on wood* hopefully it is gone...i will keep running the spyware programs every now and again just to make sure...what spyware program should i have running in my system tray? would you suggest Superspyware, spy sweeper (good until 1-29-09), or spybot? and would you suggest running your cleaning guide once in awhile also?

thanks a million
chris

TimW · Aug 3, 2008

Good to know. You should keep whatever you currently have ...at least until the paid for programs are expired.

Your logs look clean.

If you are not having any other malware problems, it is time to do our final steps:

You can uninstall SUPERAntiSpyware now.

We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

Virtumonde is on my pc

CDF69 Private E-2

Attached Files:

ComboFix.txt

mbam-log-7-31-2008 (15-21-31).txt

MGlogs.zip

CDF69 Private E-2

Attached Files:

SASlog.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

CDF69 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member