Virtumonde Removal Pls

I have been reading the posts for this trojan and how to remove it. It seems like everyones problem is a tailor made removal process. I have tried many things via safe mode and disabeling system restore. I believe that I have managed to reset this trojen to its starting stage and that its only a matter of time before it goes wild again.
I would like to request for help with this. Please advise on how to get started with the removal process. I have read the basic 'read me' page and done the basic stuff.

Than you
f.

 

Hi feri,
Welcome to Major Geeks!

Please go through all the instructions in the READ & RUN ME FIRST including those specific to your operating system. When you get done, you should have 4 logs to attach to your next two posts. When we get them, we'll take a look and see if there are still files which need to be removed.

Thanks.
abri

 

It has taken me a while to do this sorry. Here are the attachments

 

I have a feeling I have done this wrong. Please let me know. Here is the zip file attached

 

Hi feri,

The logs you attached were fine. Please do the following:

1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 3
Java(TM) 6 Update 5

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: (no name) - {4A118058-DD55-4984-BA24-2DB90115EC80} - (no file)
O2 - BHO: (no name) - {60dad4d9-6e4d-4845-8c1b-83e1254e78e7} - (no file)
O2 - BHO: (no name) - {7A50A140-0B85-4B54-AC66-7D84B3F55651} - (no file)
O2 - BHO: (no name) - {989AE421-0ED4-46A0-8D0D-32552CD46263} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B04E30D6-EA63-435B-8365-7DB432955CE3} - (no file)
O2 - BHO: (no name) - {c2ccf178-f6ec-4d9e-be54-9c1ed14b0e42} - (no file)
O2 - BHO: (no name) - {F9183158-88DD-448F-959F-DB941F146D0E} - (no file)
O2 - BHO: (no name) - {FBA49605-64A3-42D8-8AAE-E515D2948EF6} - (no file)
O20 - Winlogon Notify: byXPGAsq - byXPGAsq.dll (file missing)

After you click fix, just close hijackthis.

4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Install the current version of Sun Java from: Sun Java Runtime Environment

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

abri, thanx for your swift response. I am at work now and will only be able to do things tomorrow night.
Thanx again and will get back to you

 

Step 9. I rant the MG.bat file you said but it did not generate a zip file. Cannot find it. Also when installing Java, spybot come up with a few 'entry to registry'. I noticed an 'object helper' is it reinstalling itself on my pc again?
I have uploaded a print screen. Is the Avenger log also this zip I am uploading?

 

Found it. Here is MGlog.zip Was my bmp uploaded?

 

Hi feri,

You don't have to zip the Avenger log. Just upload it as a normal file. What I got is a zip file with 0 bytes in it.

Also, did you get a success message with the regedit4 registry patch?

Thanks.
abri

 

not sure about the success message with the regedit4 registry patch. Cant remember. Here is the Avenger log text. Hope all steps were done correctly....

 

Hi feri,

Syntax error, my fault. Sorry.

1) Please rerun Avenger as you did in Post 5, Step 6 only this time use the contents of this box:

When finished with the above, go to C:\Avenger.txt and open it. See if the deletion of this key was successful.

Also, I don't think the registry patch ran. Some of your keys are changed by Combofix and part of the registry patch should have been to put them back where they were. Please try it a second time only I'll give you a shorter version this time. Also, be sure to include the word REGEDIT4 in what you copy to notepad. The file has to be saved as .reg and not as .txt. If you don't change the File Type to All Files, it can't save it this way.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

2) If you get a success message for the patch this time and if the Avenger log showed that that one entry got deleted, and if your computer is running as it should, then you can continue with our final cleanup instructions.

abri

 

Have a look at this log file for Avenger. It did not/ could not delet the file C:\WINDOWS\system32\nkgjunfg.ini
I've uploaded the text file

 

Hi feri,
It did delete it. The log you just posted seems to be cumulative, so it has the results for both times you ran Avenger. How is your computer running now?
abri

 

everything going fine but I have not done the final steps from Comb fix onwards...should I do it? Another thing I wanted to ask? While doing all this stuff a)do I do the steps offline? b)am I suppose to shut off my spyware killer and antivirus?
I really appreciate your help. I guess one more reply from you about this and we will be done...

 

Hi feri,
No. Having your security programs running shouldn't prevent you from removing the programs and logs we had you put on your computer. Be sure to reset your restore points as instructed at the end, so you'll have a clean restore point to come back to.
Let me know how this went.
abri

 

thanx for your help arbi! I will return to this site if any further maleware penetration occurs. Any suggestions for a free software firewall. I dont use the restore points. Next time I get something this bad, I am going to format...

 

*abri, sorry

 

Hi feri,

All our recommendations for protective software can be found in the How to Protect Yourself from Malware
and this includes free firewalls.

Enjoy your computer!
abri