virtumonde problem

garglesand · Oct 14, 2008

Hi,
I seem to have picked up the vundo virus. I ran through the cleaning process and it seemed to clear it, but a day later my AVG sometimes shows alot of trojan files in my /system32 folder to be healed. AVG still shows 3 changes to files when run too.
I'm attaching logs as per the run me 1st page:

Thanks for any help

garglesand · Oct 14, 2008

And the mg logs:

TimW · Oct 15, 2008

I am not seeing any malware issues....what exactly is AVG reporting?

garglesand · Oct 18, 2008

Hi,
Thanks for checking the logs. After running the described programs to get rid of vundo i was getting alot of avg alerts saying there were .dlls that needed healing. I think this could just have been it finding files that had already been healed as AVG seems ok now.
I'm still getting AVG reports of changes:

http://img.photobucket.com/albums/v702/Garglesand/avglog.jpg

Last time I got the vundo (on my main PC) it was a real pain to get rid of, so I'm a little paranoid that this one seems to have been exterminated so easily

TimW · Oct 18, 2008

Look at your logs and you will see what all was found and removed. What you are seeing from avg is just changes to those files which is normal.

If you are not having anymore malware issues, then:
Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

If you get a success message, then:

garglesand · Oct 18, 2008

Yes, it worked.
Cheers for help.
Hopefully I'm clean now

TimW · Oct 18, 2008

Good to know.....safe surfing.

Log in or Sign up

virtumonde problem

garglesand Private E-2

Attached Files:

SASLog.txt

MBAM.txt

combo.txt

garglesand Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

garglesand Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

garglesand Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member