Virtumonde problems...

I've got big problems with virtumonde and virtumonde.dll

I've already using Spybot S&D, removed it and comeback again after a while. But it seems useless. I've also already use vondefix.exe and VirtumundoBeGone.exe and also seems to be useless too...

So I try the first step and already attach the files... Feel free to see it and PLEASE help me on this one... I've already being frustrated by this problem. Being awake and sleep only 4 hours a day...:zzz:zzz:zzz

 

And another I just add it

 

Hi kroonect!
Welcome to Major Geeks!

What happened with SuperAntiSpyware? I don't see a log or a word about it? Please run it and then run Combofix again and then do a new set of MGlogs. To get the new logs for the MGlogs, go to C:\MGTools\GetLogs.bat and double-click on it. Allow it to run all the way to the end. When you use the Manage Attachments button with your next post, look for the MGlogs.zip directly under C: Also be sure to run CCleaner before you start.

Run the scans in the order I've requested:

CCleaner (won't have a log)
SuperAntiSpyware (SAS log)
Combofix (combofix. log)
GetLogs.bat ----> MGlogs.zip

Thanks.
abri

 

Ok... I've already done the sequence for the procedure...

Here it is...

 

Hi kroonect,

Please do the following:


1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: pmnkLBSi - C:\WINDOWS\

After you click fix, just close hijackthis.




4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I've already done as u told

Here is the attachments

 

Hi kroonect,


1) Please go to the following folder in Windows Explorer and delete any of the files in it that you are allowed to delete. Windows will not allow you to delete files from the current date.

C:\Documents and Settings\Ronin.KRAKEN\Local Settings\temp\


2) The below file was put on your computer on May 12th. If you do not recogize it or know what it belongs to (you can right-click on it and look at properties for more information) then please have it scanned at either
jotti or VirusTotal

C:\WINDOWS\system32\RTPScan.dll"

3) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"



After you click fix, just close hijackthis.


4) Go to Windows Explorer and look in the following folder. Do you recognize everything in this folder?

C:\Documents and Settings\Ronin.KRAKEN\My Documents\


5) Finally, please run CCleaner.

I will wait to hear back from you about the above.

abri

 

1. Done

2. Suspected as Madcode-A variant

3. Done that

4. Yup, I know everything about that mostly for my project

5. Done that too

 

Hi kroonect,

Please run Avenger again as you did in post 5, step 4, only this time use the contents of this box including the words Files to delete:

Then run CCleaner again.

I think everything is almost done, but I would like to see a fresh MGlogs.zip one more time before I post the final instructions to you. As a reminder, go to the MGTools folder in C and find the file called GetLogs.bat. Doubleclick on it and allow it to run to completion. Hit any key to close the program. Then upload the logs using the Manage Attachments button here.

How is your computer working now?
abri

 

Ok...

Done that

 

Hi kroonect,

You still have one malware file. Please go to this folder and delete everything Windows allows you to delete: (Windows will not allow you to delete temp files from the current date.)

C:\Documents and Settings\Ronin.KRAKEN\Local Settings\temp\

Then delete this file: C:\WINDOWS\BM4b5ba8bd.txt

When you finish the above, go ahead with the final cleanup instructions:

abri

 

Done that, now my PC run smoothly. Thx for the tips. Abri

 

You're welcome!
Enjoy your computer!