Virtumonde Removal Logs

Hi we are looking at your logs, please be patient whilst we do so and we will get back to you as soon as possible

Thanks
Kes13!

 

Hi sargesteve!

1) Please go to Add and Remove Programs and uninstall the following software:

• Viewpoint Media Player <--- as per requested in step 1 of the "Read and Run Me First" procedures

2) Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.



3) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::


File::
C:\WINDOWS\System32\cgccqble.dll
C:\WINDOWS\System32\eomtqcrg.dll
C:\WINDOWS\System32\hGvtUMCt.dll
C:\WINDOWS\System32\mhdafdoa.dll
C:\WINDOWS\System32\mLEUkJyy.dll
C:\WINDOWS\System32\npkyudsi.dll
C:\WINDOWS\System32\poxegsiq.dll
C:\WINDOWS\System32\tpdsocrc.dll
C:\WINDOWS\System32\xlhgpiuk.dll
C:\WINDOWS\System32\ybtqcdet.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"TkBellExe"=-
"QuickTime Task"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.



4) Now Run Ccleaner!


5) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this as well as the log from combofix.


Be sure to tell us how things are running.

Thanks
Kes13!

 

Hi SargeSteve

Your logs are clean, and not alot remains to be done.

I see that Windows Messenger is still actually running, both your last and your most recent HJT log's reveal this.

So I would suggest that you do run the script provided back in the earlier posts.


With that we can now complete the final steps:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

Thanks
Kes13!

 

No they are not the same thing. Back in message number 5 you said you already uninstalled Windows Messenger and that you use Windows Live Messenger which totally different. What that uninstalled did was remove Windows Messenger which is old, out of date and a security risk which is why Microsoft even stopped supporting and actually uninstalled it themselves with certain Windows Updates.

The below is what we saw in your logs and these are Windows Messenger, not Windows Live Messenger.

Windows Live Messenger looks like the below:

So if you really were using Windows Messenger even though your logs show that you have installed Windows Live Messenger, you really need to switch to using Windows Live!

 

No it only removed Windows Messenger.

If you look at the very first logs you posted when you came here, you can see that you did not even have Windows Live Messenger loading in any of your logs. It was installed, but not properly per a Microsoft standard installation.

Are you using any AOL software (including AIM)? That may be where it comes from.

 

Okay then just make sure you have completed all of Kestel13!'s final instructions in message # 6.