Virtumonde Removal?? cant get rid!

Hey guys, just found out about this site a while back hopefully you guys can help me i tried the faithful "google" but with no solution.

Kasperski found virtumode I have a log file attached.

the vundofix doesnt find anything. hopefully you guys can help

nice one if you can. let me know if you need anything else or have any ideas.

 

sorry for bieng so ingorant. im currently in the process of getitn the logs form the rest of the prgrams on the list

 

OK finished the process heres all my logs

 

there thatsd the last of them? how am i looking guys

 

i thought somebody would at leats give me a reply. nevermind

 

Hi JiggaRome,
Welcome to Major Geeks!

The two antispyware programs picked up a lot. That much I can see already.

Your computer doesn't seem to be in normal startup mode. Please go to Start/Run type in msconfig and in the window that opens click on normal system start, click on accept and okay.

After you've done the above, please go to C:\MGTools\GetLogs.bat and double click on it. Allow it to run to completion when you'll get a message like hit any key to close the window. Then come back here and attach the file called MGlogs.zip which is a file (not folder) located directly under C just above the superman icon. This will give me the correct HijackThis log so I can pick up the files that I'm still missing. The rest of the fix is pretty much done and I'm just waiting on that.

How is your computer doing after this initial work you did?

abri

 

hey abri thanks for the reply..
heres the lg you requested i thougth i posted them but i unzipped them.. here they are anyway. by the way the pc is running about 70% faster its incredible. thanks a lot

 

Hi JiggaRome,

Please do the following:

0) Begin by disabling your guest account if this hasn't already been done. The accounts can be changed under Start / Control Panel / User Accounts

1) Next, open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files. Then delete any of these files you find in C:\ with the structure sqmnoopt10.sqm

2) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2a61d12d-b29f-4f5c-b72d-34d9123055ca} - (no file)
O2 - BHO: (no name) - {5a0137da-a5e1-4dc6-9214-2df0254daa76} - (no file)
O2 - BHO: (no name) - {96ea7dfd-0203-46f9-a757-1414b180bb99} - (no file)
O2 - BHO: (no name) - {9f9dd9fc-f9d3-44e9-8a37-4a218b0f9811} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After you click fix, just close hijackthis.



7) Download and install Erunt. Use it to create a backup of your registry.


8) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

9) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Now run CCleaner at the default setting with the Windows tab as the top one.

11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

hey abri thanks so much for the help, the pc is running much better now , i still have a few little problems with the graphics card not being able to install the drivers for it after i re installed windows but i'm sure 'll sort that out soon...


thanks a lot for your help I've inlcuded the other log files aswell .

 

Hi JiggaRome,

Please attach the Avenger.txt log in the way we requested it. The file in the zip file, although listed as Avenger.txt, was a .bat file. The other two files you put into the zip files were the two files I asked you to remove using Avenger.

If you ran Avenger correclty, there will be an Avenger.txt log located directly under C:\ When you reply to me here and go to the Manage Attachments button and see if it is there.

Simply upload that .txt file.

The files themselves appear to be gone from your logs, so you must have removed them. I don't see any further signs for malware, so please finish by following the instructions in the box:

abri

 

sorry about that here is the avenger txt.

 

Hi JiggaRome,
I can't open your log for some reason, but if you just check it to make sure the things we tried to remove with Avenger were actually successfully removed, that will be good enough. Just open the Avenger.txt file and see if it removed the files. There were two of them.

As for any further problems which may come up, there are other forums here which offer help in all areas of computer activities so feel free to roam around.
All the best with your computer.
abri